[J65nko]

DNS, or 'domain' usually uses UPD and hardly ever TCP.

For filtering TCP statefully you have to create state on the first packet of the TCP handshake. You do this with flags S/SA

Code:

pass in quick on $ext_if inet proto tcp from any to $ext_if port 25 \
                           flags S/SA keep state

On OpenBSD (flags S/SA) keep state has been the default for quite some time. Don't know whether that is also the default in FBSD 7.0.

BTW, in most cases you are better off to create separate rules for outgoing and incoming traffic. Just create TCP_OUT, TCP_IN, UDP_IN and UDP_OUT macro's for finer grained rules.