Why this rule doesn't score a match?

[Ivan Petrushev]

Hello,
I'm trying very simple 'block all, allow a few' firewall, but
something doesn't seem right.
As far as I remember 'the right matched rule' is taken and executed -
this doesn't seem working here.
Here is my firewall:
#####################
#macros
if = "re0"
ext_ip = "10.10.10.21"
tcp_services = "{http, https, ssh, domain, 5190, 5222, ftp, 1025}"
udp_services = "{domain, 5190, 5222, ftp}"

#filter
block in log on $if
pass on $if proto tcp from any port $tcp_services
pass on $if proto udp from any port $udp_services
####################
The point here is that if a packet for some of the listed service is
matching against the rules, it will match the block rule, but after
that will match some of the last two and get passed. Instead it gets
blocked and I see it into the log:
tcpdump -n -i pflog0
19:54:57.657194 IP 64.12.161.185.5190 > 10.10.10.21.54111:  tcp 24
[bad hdr length 0 - too short, < 20]
(there are many of these, including on the other ports)

Now, there is something different. I tried removing the block rule,
and added logging for the 'pass' rules. In that case a packet
traveling down the rules should match only on the 'pass' rules and get
logged.
####################
#filter
#block in log on $if
pass log on $if proto tcp from any port $tcp_services
pass log on $if proto udp from any port $udp_services
####################

Well, it doesn't get logged. The only thing I see into the log is:
20:12:53.185368 IP 10.10.10.1.53 > 10.10.10.21.60918: [|domain]
And more DNS requests. There is nothing from 5190 (ICQ) or 5222 (Gtalk) or 80...

What could be wrong here - it is fairly simple ruleset?