allright, nevermind, this solved it: pass in quick on lo0 proto tcp from 192.168.1.34 to 192.168.1.35 port = 22 flags S keep state block out quick on lo0 proto tcp/udp from 192.168.1.35 to 192.168.1.34 keep state keep frags