pf routing issue?

[Ben Shelton]

Hi there,
I've been trying to convert a firewall for a site from ipfw to pf (under 
FreeBSD.)  I had all the rules translated over to pf format and then 
went ahead, took down ipfw, brought up pf and... nothing.  Couldn't 
connect to any services at all behind the firewall.  After thinking I 
must have screwed up some rule or something, I started cutting things 
down to simple rules.  I ended up with:
----
# begin rules
pass quick on lo0 all

# block by default
#block log # commented out only for testing - should work instead of the
# following two lines
block in all
block out all

pass in quick proto icmp from any to any keep state
pass out quick proto icmp from any to any keep state

pass in quick inet proto tcp from any to x.x.x.x keep state
#pass in quick inet proto tcp from any to any keep state # works
----
So the last 2 lines are completely odd.  If I enable the first of them, 
I cannot contact the x.x.x.x machine via tcp (http port, etc.) and a 
tcpdump on the firewall's internal interface confirms that the packets 
are not going through.  ICMP works, however, according to the preceding 
2 rules.  If I enable the last rule, all tcp then works.
When I cannot connect, I get a "no route to host" error when attempting 
to, for example, telnet to port 80.  The funny thing is that if I change 
the x.x.x.x rule to:
pass in quick inet proto tcp from any to any port 80 keep state
it ALSO doesn't work.  It seems any specifier for destination address or 
port screws everything up.

I am totally stumped.  Can anyone offer any advice?  I run a pf firewall 
at home and don't have any issues at all.  Then again, it's slightly 
different at home with NAT and stuff.  This one that's not working 
should be even simpler - no NAT, routing from real internet addresses to 
real internet addresses, etc.
As a note, this is a FreeBSD 5.3 on amd64 (Xeon EM64T) system.  I don't 
know if that might have something to do with it.

Any help is greatly appreciated.
Thanks,
Ben