You currently have the following rules pass out log on $ext_if inet proto tcp from $proxy to any port $proxy_services keep state
# pass out pass out log What's the point of these? Whenever the first rule would match, the second one would always override it, making the first one superfluous. Further, the first rule never matches, because the proxy isn't using $proxy=172.18.0.1 as source for outgoing connections (but the IP of $ext_if). The second rule matches, but doesn't have 'keep state', so the TCP handshake fails (SYN passes out, but SYN+ACK reply is blocked). Hence, delete the first rule and add "keep state" to the second rule. HTH, Daniel
