A lot of different opinons/recommendations will show up but my opinions:
Start with a clear set of requirements. Assume a starting point of "default deny" on all interfaces, to me that makes the rest easier. What type of traffic is allowed, where it is allowed from. Source and destination are important.
As part of the requirements, a network diagram helps visualize flows. Is the firewall protecting a network or just a client?
Are there any public facing resources? Are they hosted elsewhere or by the client?
Once you have the clear requirements and the network diagram, you can simply start walking the ruleset by hand. Make sure you understand the implementation: PF is last match wins (quick keyword stops evaluation on a match), IPFW is first match wins.
Say requirements say "only DNS and NTP are allowed in on WAN interface", start there. pretend you are a DNS packet hitting the WAN interface heading inbound. Make sure the rules let it pass. Now pretend you are an HTTPS packet inbound on the WAN make sure it gets blocked.
That's the way I would start.
