huh?
If your webserver is behind pfsense then the ports are already forwarded through pfsense..
So this comcast "modem" is doing NAT? Does pfsense doesn't have a private IP or Public on its wan? Your forwarding the 3 ports through to pfsense WAN IP on your "modem" A modem doesn't do nat.. You mean you have a comcast gateway? What is the make and model of this device for comcast?
You do understand that most things looking for those ports are going to directly look for them - not run through a port scan.. Where did you get the idea that pfsense blocks port scans? You do understand that pfsense blocks all ports that are not forwarded..
So say scanning ports 1, 2, 3, 4 - etc... until get to 80 would be blocked.. Why do you think that pfsense will say oh wait this source IP was checking other ports, I will not let him through to my port forwarded 80?
Are you running IPS package? Snort or Suricata?