Thanks to all of you for this interesting discussion. My OpenBSD firewall will only be doing PF as I totally agree that a firewall should have the least userland application running as possible of course if your budget permits it. So far I have around 340 rules (as the number of lines in the output of a "pf -sr") and a state table of around 12-20k entries depending the time of the day. As per your recommendations I will go with a higher CPU frequency and less cores as packet filtering still only takes place on one single core. I might also experiment if I should use bsd.mp or the standard non SMP bsd.
I also agree with Nick that CPU is of course not the only criteria but the rest I have luckily already sorted out :) For example by using nice and modern Intel 10 Gbit/s NICs, CompactFlash industrial grade flash storage, redundant setup with 2 firewalls and CARP, etc. OpenBSD does a great job here, I don't even want to imagine the price of such a setup with C***o hardware. Cheers
