adding a 'keep state' to the 'pass in'-rules solved this problem. but i still do not understand why it didn't work before, because outgoing traffic was allowed with "pass out quick on ng0 from any to any keep state" i'ld really prefer to know what's going on there :) any ideas? thx, jonas