This is the simplest possible setup, for a single machine which will not run any services, and which will talk to one network which may be the Internet. For now, we will use a /etc/pf.conf which looks like this:
block in all pass out all keep state
that is, deny any incoming traffic, allow traffic we make ourselves, and retain state information on our connections. Keeping state information allows return traffic for all connections we have initiated to pass back to us. This is something you do if this is a machine you know you can trust. If you are ready to use the rule set, you load it with
$ sudo pfctl -e ; sudo pfctl -f /etc/pf.conf