Glad to hear that you have solved the problem
> as you may notice I added the ping and the dns to the ruleset since
> this was blocked in the original set of rules.
You can allow outgoind dns with one single rule:
pass out on $ext_if inet proto { tcp, udp } from $ext_if \
to any port domain keep state
> ...
> pass on hvn0 inet proto icmp all icmp-type echoreq
just to be curious: what is the effect of "on" in your rules "pass on ..."
As to pf.conf(5) there are only "in" or "out"
