block in all block out all
## allow traffic on $ext_if to $webserver on 80/tcp and 443/tcp pass in on $ext_if proto tcp from any to $webserver port {80, 443} \ keep state
This would not work. Why? We need to pass out on $ext_if as well (since pf(4) filters on both directions).
In this specific case, the "keep state" option will allow traffic back out on $ext_if, from $webserver, provided it is related to the original tcp port {80, 443} traffic that triggered it. You do not need any other "pass out on $ext_if" rules for $webserver for this purpose.
Are you unsure what "stateful" behavior is?
