The rule set we have developed so far has one clear disadvantage: common troubleshooting commands such as ping and traceroute will not work. That may not matter too much to your users, and since it was the ping command which scared people into filtering or blocking ICMP traffic in the first place, there are apparently some people who feel we are better off without it. If you are in my perceived target audience, you will be rather fond of having those troubleshooting tools available. With a couple of small additions to the rule set, they will be. ping uses ICMP, and in order to keep our rule set tidy, we start by defining another macro:
icmp_types = "echoreq"
and a rule which uses the definition,
pass inet proto icmp all icmp-type $icmp_types
You may need more or other types of ICMP packets to go through, and you can then expand icmp_types to a list of those packet types you want to allow.