pf.conf

ext_if       = "em0"
tcp_services = "{ssh, https}"

icmp_types   = "{echoreq, unreach}"
icmp6_types  = "{echoreq, unreach, 133, 134, 135, 136, 137}"

tcp_state    = "flags S/SA keep state"
udp_state    = "keep state"

set block-policy drop
set skip on lo0

scrub in on $ext_if all fragment reassemble

block in log all
pass  out quick modulate state

antispoof for $ext_if inet
antispoof for $ext_if inet6

block in from urpf-failed to any
block in quick on $ext_if from any to 255.255.255.255

pass in on $ext_if inet  proto tcp from any to any port $tcp_services $tcp_state
pass in on $ext_if inet6 proto tcp from any to any port $tcp_services $tcp_state

pass inet proto  icmp all  icmp-type  $icmp_types  keep state
pass inet6 proto icmp6 all icmp6-type $icmp6_types keep state