I have an OpenBSD 4.9/i386 desktop sitting naked on the Internet, and found people poking at my TCP ports. While PF is enabled by default, it's configured to permit everything except remote X11. I need a policy that will block incoming traffic from everywhere except a few key IP addresses, while allowing me to make any outbound connections I desire.

mgmt="{192.0.2.0/24, 192.168.8.0/24}"
set skip on lo
block
pass proto icmp
pass from $mgmt to self
pass from self to any
block in on ! lo0 proto tcp to...