Revised but haven't tested yet.
Code:
ext_if="re0"
tcp_services = "{ssh, ftp, sftp, imap, imaps, smtp, 587, pop3 \
domain, ntp, www, http, https}"
udp_services= "{domain, ntp}"
### allow ping / pong ####
icmp_types = "{ echoreq, unreach }"
set skip on lo
set loginterface $ext_if
scrub in all random-id fragment reassemble
block return in log all
block log out all
antispoof quick for $ext_if
pass out quick on $ext_if proto tcp to any port $tcp_services
pass out quick on $ext_if proto udp to any port $udp_services
# Allow trace route
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep stat
e
pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state
pass in on $ext_if proto tcp from any to any port smtp flags S/SA synproxy state
pass in on $ext_if proto tcp from any to any port http flags S/SA synproxy state
pass in on $ext_if proto tcp from any to any port https flags S/SA synproxy state
pass in on $ext_if proto tcp from any to any port pop3 flags S/SA synproxy state
pass in on $ext_if proto udp from any to any port domain
pass in on $ext_if proto tcp from any to any port domain flags S/SA synproxy state
pass inet proto icmp all icmp-type $icmp_types keep state