PF: Going a little farther & tighter

As I said before I have installed an OpenBSD box on my LAN, to work as firewall, for the setup and rules, I have used one of the built-in example scripts supplied with the distro, the one called 'faq-example1', there are many other examples listed on the same OpenBSD installed box, under the '/usr/share/pf/' directory; or you can take a look at it on this page: Firewall for Home or Small Office.
What this sample script does exactly is this:

In this example, PF is running on an OpenBSD machine acting as a firewall and NAT gateway for a small network in a home or office. The overall objective is to provide Internet access to the network and to allow limited access to the firewall machine from the Internet, and expose an internal web server to the external Internet.

The thing is, I don't want to serve any site from my LAN, and also, I don't want the SSH port to be open to the public internet... So I have modified the script, to close those things up.
Here is a copy of how the edited file looks like:

# macros
ext_if="ne3"
int_if="dc0"
icmp_types="echoreq"

# options
set block-policy return
set loginterface $ext_if

set skip on lo

# scrub
scrub in

# nat/rdr
nat on $ext_if from !($ext_if) -> ($ext_if:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021

# filter rules
block in

pass out

anchor "ftp-proxy/*"
antispoof quick for { lo $int_if }

pass in inet proto icmp all icmp-type $icmp_types

pass quick on $int_if no state


After editing and saving it, execute this, to make it active:

sudo pfctl -f /etc/pf.conf


This will block anything & everything coming from the outside, except for ping, which you'll get a reply from the external, the public, IP address of the OpenBSD's server; you can certainly close that as well, but I like to be able to know from any location if my ISP is working or not.