DMZ problem

[Vadym Chepkov]

Hello everyone,

I earlier asked a question about Amanda, still hasn't solved it, but it 
seems I have a bigger problem, I obviously doing something wrong here, maybe 
by fixing this issue I will be able to fix it as well.

I discovered my secondary DNS server, which is located outside of our 
network, is not able to transfer zone file from the primary DNS server, 
which is located in our DMZ. My DMZ rules are build on "inversed" logic, 
since I want to limit access to it from all interfaces (we have many of 
them), so I don't want to duplicate "in" rules on all other interfaces for 
the DMZ.
I reduced my pf.conf to the bare minimum, and yes, if I disable pf, I am 
able axfr zone right away.
This is the actual pf.conf that I am testing with, and it doesn't work. And 
what is very frustrated, pflog is silent. I don't see anything being dropped

-----------------------------
dmz_if="em0"
wan_if="bge0"

set optimization normal
set block-policy return
set skip on lo
scrub in

block in log on $wan_if
pass out on $wan_if from { $wan_if $dmz_if:network } keep state
# DMZ has it's own rules
pass in on $wan_if to $dmz_if:network

# SSH so I can login back
pass in quick on $wan_if proto tcp to port ssh flags S/SA keep state

# DMZ
block out log on $dmz_if
pass in on $dmz_if keep state
pass out quick on $dmz_if proto tcp to port domain flags S/SA keep state
pass out quick on $dmz_if proto udp to port domain keep state

--------------------------------


Could you tell me what is wrong with these rules, please

Thank you,
Vadym Chepkov