sysctl.conf

keep away core file cluter

kern.corefile=/tmp/%N.core

make your connections a little more discreet

net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
net.inet.ip.random_id=1

hardening - option to set these in installer

security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
security.bsd.unprivileged_read_msgbuf=0
security.bsd.unprivileged_proc_debug=0
kern.randompid=1
security.bsd.stack_guard_page=1

rc.conf

enable your firewall

pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""

pf.conf

basic firewall conf for a general user

pass log all
block in all
pass out all keep state
set skip on lo