Как то так
nat pass on $ext_if inet proto tcp from ($int_if:network) to any port www -> ($ext_if:0)
# для DNS лучше не any, а ip DNS серверов провайдера. А еще лучше поднять свой на шлюзе.
nat pass on $ext_if inet proto {tcp,udp} from ($int_if:network) to any port domain -> ($ext_if:0)
block all
pass out on $ext_if inet proto tcp from self to any port smtp
pass out on $ext_if inet proto {tcp,udp} from self to any port domain
pass on $int_if from ($int_if:network) to ($int_if:network)
pass in on $int_if inet proto tcp from ($int_if:network) to any port www
pass in on $int_if inet proto {tcp,udp} from ($int_if:network) to any port domain