First rule set - single machine

This is the simplest possible setup, for a single machine which will not run any services, and which will talk to one network which may be the Internet. For now, we will use a /etc/pf.conf which looks like this:

block in all
pass out all keep state

that is, deny any incoming traffic, allow traffic we make ourselves, and retain state information on our connections. Keeping state information allows return traffic for all connections we have initiated to pass back to us. It is worth noting that from OpenBSD 4.1 onwards, the default for pass rules is to keep state information[1], so the equivalent rule set in the new OpenBSD 4.1 style is even simpler,

# minimal rule set, OpenBSD 4.1 and newer keeps state by default
block in all
pass out all

It goes pretty much without saying that passing all traffic generated by a specific host implies a great deal of trust that the host in question is, in fact, trustworthy. This is something you do if and only if this is a machine you know you can trust. If you are ready to use the rule set, you load it with

$ doas pfctl -ef /etc/pf.conf



In fact the new default corresponds to keep state flags S/SA, ensuring that only initial SYN packets during connection setup create state, eliminating some puzzling error scenarios