making pf faster so, digging further, wanna gain even more turned out pf was checking the protcol checksums for tcp, udp, icmp for each and every packet reason: some dickhead who thinks that "invisible" or "stealth" firewalls are a good idea figured out a way to detect wether one of these is in the way send a packet with invalid protocol checksum that gets blocked by the firewall if the firewall uses block return, i. e. sends back an RST or icmp unreachable, it replies end host would not, due to the checksum error