pf firewall rules, dns lookup not working

[Jason Hammerschmidt <Jason.Hammerschmidt@maclaren.com>]

Hey all, Having troubles with a pf firewall rule (maybe someone can 
help).  I'm running OpenBSD 3.0 (first time running open) and have 
gotten the firewall to work, tested, etc.  Now I'm building some more 
advanced rulesets, I'm having trouble resolving DNS names, yet the 
rules seem sound to me, any ideas anyone?  (at the bottom is the DNS 
rules, notice I'm using keep state so I don't have to add the reverse 
rules).  If I specifically add rules for both directions for DNS it 
works, but keep state doesn't!?!  Apologies if there is another 
discussion forum for this that I should be using.  And yes I've read a 
few howto's and the pf.conf man page... from what I've read this is 
kosher.

ext_if = "fxp0"
int_if = "fxp1"
network_ips = "204.112.112.0/24"
dns_servers = "{ 142.77.1.1/32 }"

#Block all by default
block in on $ext_if all
block in on $int_if all

#Block outgoing spoofs (typical DoS)
block in quick on $int_if from ! $network_ips to any

#Block any RFC1918 and other garbage addresses (anti-spoof stuff)
block in log quick from 192.168.0.0/16 to any
block in log quick from 172.16.0.0/12 to any
block in log quick from 10.0.0.0/8 to any
block in log quick from 127.0.0.0/8 to any
block in log quick from 0.0.0.0/8 to any
block in log quick from 169.254.0.0/16 to any
block in log quick from 224.0.0.0/3 to any
block in log quick from 204.152.64.0/23 to any

#Block our external IP's on incoming interface
block in log quick on $ext_if from 204.225.62.0/24 to any

#Normalize all incoming traffic
scrub in on $ext_if all

#Allow DNS lookups
pass in quick on $int_if proto udp from $network_ips to $dns_servers 
port 53 keep state
pass in quick on $int_if proto tcp from $network_ips to $dns_servers 
port 53 flags S keep state

-- 
Jason Hammerschmidt - direct: 416.643.8560
"Whatever you do will be insignificant, but it is very important that
you do it."  --Mahatma Gandhi