> "pass in on xl0 inet proto { tcp, udp } from any to any port 53"
Try: pass in on xl0 inet proto {tcp, udp} from any to any port 53 keep state "keep state" will mark packets for stateful feature, allowing packets back (dns response). I block all tcp packet for port 53 because they are just for domains transfer. On really, I just pass it for my secondary dns servers. On my 3.1 system, "keep state" is not keeping state correctly, so I appended the following rule: pass out on $EXT inet proto udp from any to any port 53 keep state > Second question: ftp. I have seen different examples on how to treat ftp > connections and the ftp-proxy. We need to have both incoming active+passive > ftp and outgoing passive and again I'm unsure of how to treat ports >1023 > and 20. Ports above 1024 are just for socket source, like your machine trying to connect a web server. Take care about destination port, usually well know services (20, 21, 22, 25, 80, 110, 443, etc). -- Hélio Alexandre Lopes Loureiro [[EMAIL PROTECTED]] Regional Software Supply & Integration South America Tel.: + 55 11 6224-1795 Public Key ID: FB5972D1@http://search.keyserver.net