Added
$cmd allow udp from any to me 53 in via $pif
$cmd allow udp from any 53 to me in via $pif
and it worked!

Not in your particular case.
The left ports do not shine out, there are no routing / nata tasks, limiting anything (syn, tcp-sessions, etc) also does not make sense, because in any attack, your router / channel will die first (s), you are not going to collect the stat.
If you want to experiment in the future, networks inside the server or external ones (for example, VPN) are expected, then you can configure "for the future". You can take some basic rules somewhere to build on.
p.s. I would tweak to better explore networks in general. You can connect your server directly to the Internet, and the router is already on a different network connection (even better - raise vlanes on the router to skip the Internet, if it can do this, the topology will be more interesting). Then, firstly, you will have a sense in the firewall, and secondly, you will be able to take on its responsibilities for natu. Raise virtualization inside the server (separately for the database, for the site, a couple of nginx to proxy the request, DNS also so that the zone is local for virtual machines) so that additional networks appear, then you can even do some kind of routing. You can accelerate to dynamic routing already, swing the skill.

Yes