I believe that you are allowing the redirected traffic, i.e. the rdr indicates to pf to redirect the traffic, and pass tells pf to allow the traffic. This was changed in later versions of the pf filter (not yet incorporated into FreeBSD) where the rule syntax is rdr to
Someone with a better knowledge of the pf syntax grammar can correct me.