>> rule looks OK, but your message clearly suggest you DO NOT have IP >> forwarding enabled > > Interesting sysctl reports that forwarding is enabled: > > $ sysctl -a |grep forward > net.inet.ip.forwarding: 1 > it's not that. it's about routing, not ipfw forwarding you need IPFIREWALL_FORWARD option in kernel.