# filter on i-net iface
block in on $inet_if
pass in on $inet_if inet proto icmp to ( $inet_if )
pass in on $inet_if from { $admins } to ( $inet_if )
pass in on $inet_if inet proto tcp from any to ( $inet_if ) port ftp-data flags S/SA keep state \
( max-src-conn 5, max-src-conn-rate 16/5, overload <abusive_hosts> flush )
pass in on $inet_if inet proto tcp from any to ( $inet_if ) port ftp flags S/SA keep state \
( max-src-conn 5, max-src-conn-rate 16/5, overload <abusive_hosts> flush )
pass in on $inet_if inet proto tcp from any to ( $inet_if ) port ssh flags S/SA keep state \
( max-src-conn 5, max-src-conn-rate 2/5, overload <abusive_hosts> flush )
pass in on $inet_if inet proto tcp from any to ( $inet_if ) port smtp flags S/SA keep state
pass in on $inet_if inet proto udp from any to ($inet_if) port 53 flags S/SA keep state
pass in on $inet_if inet proto tcp from any to ($inet_if) port 53 flags S/SA keep state
pass in on $inet_if inet proto tcp from any to ( $inet_if ) port pop3 flags S/SA keep state
pass in on $inet_if inet proto { tcp udp } from any to ( $inet_if ) port domain flags S/SA keep state
pass in on $inet_if inet proto tcp from any to ( $inet_if ) port pptp flags S/SA keep state
pass in on $inet_if inet proto tcp from any to ( $inet_if ) port 65535 flags S/SA keep state
pass in on $inet_if inet proto gre from any to ( $inet_if )
pass out on $inet_if keep state
Добавь правило, разрешающее днс.