To be clear, is this the rule that caused problems?
Code:
#pass out on $wan proto udp from any to ($wan) port { domain, ntp } keep state
This passes UDP traffic for ports 53 and 123
outbound when that traffic is destined to addresses assigned to your em0 NIC. I don't think this rule is likely to match any traffic, so I'm unclear how it caused problems.
Your explicit rule to block any internet traffic to 255.255.255.255 is unnecessary as you have that address in the table you block with the immediately preceeding rule.
I recommend until you have your ruleset somewhat fixed that you add the
log option to every rule, both block and pass. That way, you will be able to use
tcpdump(8) with your
pflog(4) device to see exactly what is being passed or blocked. You will be able to see every rule that matches ... and eventually be able to discern which rules are moot, and which are causing problems.