You may want to check that PF is actually running, and perhaps at the same time look at some statistics. The pfctl program offers a number of different types of information if you use pfctl -s, adding the type of information you want to display. The following example is taken from my home gateway while I was preparing an earlier version of this lecture:
$ doas pfctl -s info Status: Enabled for 17 days 00:24:58 Debug: Urgent Interface Stats for ep0 IPv4 IPv6 Bytes In 9257508558 0 Bytes Out 551145119 352 Packets In Passed 7004355 0 Blocked 18975 0 Packets Out Passed 5222502 3 Blocked 65 2 State Table Total Rate current entries 15 searches 19620603 13.3/s inserts 173104 0.1/s removals 173089 0.1/s Counters match 196723 0.1/s bad-offset 0 0.0/s fragment 22 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 28 0.0/s proto-cksum 325 0.0/s state-mismatch 983 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 26 0.0/s synproxy 0 0.0/s
The first line here indicates that PF is enabled and has been running for for a little more than two weeks, which is equal to the time since I upgraded to what was then the latest snapshot. pfctl -s all provides highly detailed information. Try it and have a look, and while there, look into some of the other pfctl options. man 8 pfctl (or clicking the man page link in this paragraph) gives you full information.
At this point you have a single machine which should be able to communicate reasonably well with other internet connected machines. And while the rule set is very basic, it serves as an excellent starting point for staying in control of your network.
This is a very basic rule set and a few things are still missing. For example, you probably want to let at least some ICMP and UDP traffic through, if nothing else for your own troubleshooting needs.
And even though more modern and more secure options are available, you will probably be required to handle the ftp service.
We will return to these items shortly.