Lots of things in the startup scripts will fail to work or hang indefinitely if you block outbound stuff. I find it necessary to allow at least outbound DNS in order for the machine to boot in reasonable time. Fortunately pf is pretty good about allowing outbound but not allowing inbound connections, even for UDP.
I'm a bit unclear on how pf deals with state though. 1) On UDP keep state rules, do they allow replies from other IPs? The DNS spec says that servers can respond from a different IP than the one they received the query on. 2) For UDP and TCP, does it allow ICMP replies that reference this connection in the payload? I seem to recall reading something that indicated so, but exactly how does it decide? -- http://www.lightconsulting.com/~travis/ -><- "We already have enough fast, insecure systems." -- Schneier & Ferguson GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B