Thanks Joachim and Woodchuck for your replies. To be RFC compliant I will add icmp. I will also add logging to check the output, can indeed be very helpfull.
I am not using ssh and dhcp, so I have blocked those ports About 'block inet6'; I thought that 'block all' did that job? I will also add 'set skip lo0'; good point! Scrub is removed now because of the notes from Joachim. I will add the ftp proxy too. Thanks again, will post the result later for a last check.
