You may want to check that PF is actually running, and perhaps at the same time look at some statistics. The pfctl program offers a number of different types of information if you use pfctl -s, adding the type of information you want to display. The following example is taken from my home gateway while I was preparing an earlier version of this lecture:
$ doas pfctl -s info
Status: Enabled for 17 days 00:24:58 Debug: Urgent
Interface Stats for ep0 IPv4 IPv6
Bytes In 9257508558 0
Bytes Out 551145119 352
Packets In
Passed 7004355 0
Blocked 18975 0
Packets Out
Passed 5222502 3
Blocked 65 2
State Table Total Rate
current entries 15
searches 19620603 13.3/s
inserts 173104 0.1/s
removals 173089 0.1/s
Counters
match 196723 0.1/s
bad-offset 0 0.0/s
fragment 22 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 28 0.0/s
proto-cksum 325 0.0/s
state-mismatch 983 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 26 0.0/s
synproxy 0 0.0/sThe first line here indicates that PF is enabled and has been running for for a little more than two weeks, which is equal to the time since I upgraded to what was then the latest snapshot. pfctl -s all provides highly detailed information. Try it and have a look, and while there, look into some of the other pfctl options. man 8 pfctl (or clicking the man page link in this paragraph) gives you full information.
At this point you have a single machine which should be able to communicate reasonably well with other internet connected machines. And while the rule set is very basic, it serves as an excellent starting point for staying in control of your network.
This is a very basic rule set and a few things are still missing. For example, you probably want to let at least some ICMP and UDP traffic through, if nothing else for your own troubleshooting needs.
And even though more modern and more secure options are available, you will probably be required to handle the ftp service.
We will return to these items shortly.