So I found /tmp/rules.debug and added this line after the carp anchor, and it seemed to do the trick:
block in quick on vr0 inet proto tcp from any to any flags SF/SF
But as feared, that line disappeared once I did anything in the web interface.
If our client doesn't pass the PCI compliance scan, we'll lose them. It looks like I'm going to have to replace pfsense with a stock openbsd firewall - not a big deal for me personally, but since my techs are all trained on the web gui it means one more thing that I am the only person capable of managing
What is really sad here is that not only is this scan not making them the slightest bit more secure, and not only is this supposed "vulnerability" not a vulnerability at all, but we're actually being forced to relax the security on their system (by disabling scrub) to correct a misinterpretation of the PCI compliance rules and misinterpretation of the test results. I guess that's what we get for letting lawyers and politicians write technical standards
P.S. Tried upgrading to 1.2.2 in the hopes that I'd be able to create rules with flags in them. I'm kind of surprised this feature is missing, especially since the raw rules.debug file does have flags in some of them!
# grep flag rules.debug
block in quick on $wan proto tcp flags SF/SF
pass in quick on vr0 inet proto tcp from port 20 to (vr0) port > 49000 flags S/SA keep state label "FTP PROXY: PASV mode data connection"