> I tend to think that my problem is that queries from inside the FW go out,
> but either are not able to get back into the name server, or the name
> server's response is not able to get out and/or back in, steps 2,3 or 4:
> 
>       internal client  == ns query ==> FW ===\\      (step 1)
>                                              ||
>       internal ns      <== ns query == FW ===//      (step 2)
>       |         |
>       internal ns      == ns reply ==> FW ===\\      (step 3)
>                                              ||
>       internal client  <== ns reply == FW ===//      (step 4)

How about whipping out tcpdump to see what is currently happening?
In one terminal on the gateway 'tcpdump -n -i ep0 port 53' and on
another terminal 'tcpdump -n -i fxp0 port 53'.

Ben