Ipfw ruleset check

[Derrick Ryalls]

I have a 4.9 router that I decided I want to have a meaningful firewall
with, so I have modified a copy of rc.firewall and would like someone to
point out if I am doing something monumentally stupid.

I want to allow all from within my network, but only let in a few from
the internet:

DNS
Email/imap-ssl(pop3-ssl in future)
Ssh
WWW

And whatever natd redirects I have (remote desktop mainly).  I
definitely want to protect mysqld and only allow it from localhost or
inside network.

Here is what I have come up with so far (kernel built with default to
deny):

        setup_loopback

        # set these to your network and netmask and ip
        net="192.168.1.0"
        mask="255.255.255.0"
        ip="192.168.1.1"

        # Allow any traffic to or from my own net.
        ${fwcmd} add pass all from ${ip} to ${net}:${mask}
        ${fwcmd} add pass all from ${net}:${mask} to ${ip}

        # Allow all out the world
        ${fwcmd} add pass all from ${ip} to any keep-state

        # Allow DNS queries out or in the world
        ${fwcmd} add pass all from any to any 53 keep-state

        # Allow email out or in the world
        ${fwcmd} add pass all from any to any 25 keep-state

        # Allow imap-ssl out or in the world
        ${fwcmd} add pass all from any to any 993 keep-state

        # Allow ssh out or in the world
        ${fwcmd} add pass all from any to any 22 keep-state

        # Allow www out or in the world
        ${fwcmd} add pass all from any to any 80 keep-state

        # Allow MSTSC in the world
        ${fwcmd} add pass all from any to any 5001 keep-state


Any glaring mistakes on my part?

TIA

-Derrick