PF advice for IPv6-only machine (freebsd-12)

[John]

Hello list,

This is my first attempt creating a PF ipv6-only firewall. Please can
anyone look at it and offer any suggestions? It seems to work (in that
if services are removed from the macro, they're no longer accessible
from the outside), but I'm not sure that I've done Everything Right (tm)
and that there aren't some silly mistakes, like redundant statements.

I'd like to silently drop connection attempts to ports where there are
no services, like one can do on ip4 with blackhole(4) but I haven't a
clue how to do it on ipv6 with PF - is there a way?

### begins

# macros
ext_if = msk0
services = "{ 22, 3022 }"
icmp_types = "{ echoreq, unreach }"
icmp6_types = "{ unreach, toobig, timex, paramprob, echoreq, echorep,
neighbradv, neighbrsol,\ routeradv, routersol }"

set skip on lo
set block-policy return
set state-policy if-bound
set loginterface $ext_if
scrub in on ext_if all fragment reassemble

# filter rules
block in log all
pass out all

# keep alive rules
pass out log quick proto 41 from ($ext_if) to any keep state
pass in log quick proto 41 from any to ($ext_if) keep state

# allow heartbeat ping
pass in log quick on $ext_if inet6 proto { ipv6-icmp } from any to \
any keep state

# pass tcp services
pass in quick on $ext_if inet6 proto tcp from any to any port $services

### ends

many thanks,
-- 
J.