One of the best things about the Pi is that it's small, and portable.  It's very tempting to use it on wireless networks, unattended.  Sadly, in the real world, any wireless network can be hacked, and any device on wireless should be considered vulnerable.  So, pf is an easy way to harden your Pi.

The first thing you'll need is a FreeBSD Pi install, which has the pf device in the kernel.  You can get that here, or just build yourself a kernel with pf.

Then, you will need some simple rules.  I used these rules in the file "/etc/pf.conf"

# options
set block-policy return
set optimization conservative

# normalization
scrub in all
scrub out all

# default, deny everything
block in log all
pass out quick

#icmp
pass out inet proto icmp from any to any keep state
pass in quick inet proto icmp from any to any keep state

#ssh
pass out inet proto tcp from any to any port 22 keep state
pass in quick inet proto tcp from any to any port 22 keep state

#localhost
pass in quick on lo0 all
pass out quick on lo0 all

Simply; I block everything other than ssh, icmp (ping).

In order to load the rules:

pfctl -f /etc/pf.conf

and to show the current status of the packet filter:

pfctl -s all

You'll want FreeBSD to load your pf rules when it starts, so add the below to "/etc/rc.conf"

pf_enable="YES"