This is the simplest possible setup, for a single machine which will not run any services, and which will talk to one network which may be the Internet. For now, we will use a /etc/pf.conf which looks like this:
block in all pass out all keep state
that is, deny any incoming traffic, allow traffic we make ourselves, and retain state information on our connections. Keeping state information allows return traffic for all connections we have initiated to pass back to us. It is worth noting that from OpenBSD 4.1 onwards, the default for pass rules is to keep state information[1], so the equivalent rule set in the new OpenBSD 4.1 style is even simpler,
# minimal rule set, OpenBSD 4.1 and newer keeps state by default block in all pass out all
It goes pretty much without saying that passing all traffic generated by a specific host implies a great deal of trust that the host in question is, in fact, trustworthy. This is something you do if and only if this is a machine you know you can trust. If you are ready to use the rule set, you load it with
$ doas pfctl -ef /etc/pf.conf
| [1] | In fact the new default corresponds to keep state flags S/SA, ensuring that only initial SYN packets during connection setup create state, eliminating some puzzling error scenarios |