I just noticed that these various pf.conf rule sets only have one NIC, $ext_if (re0). Assuming, for the moment, that there is a second NIC, there are no pass in rules for its traffic. All traffic initiated on a local LAN (assuming there is one) will be blocked, except for the limited set of ICMP traffic added to your second pf.conf example.
|