In the following I will concentrate on the following setup: (The IP addresses are purely random. I just wanted to take public IP's. The subnetting is also totally wrong. It's just for the machines sake!)
All right. Here what you wanna do is that the Firewall does not trust the Webserver at all and vice versa. You can do this by setting IP Filters on the Firewall and make sure you make an entry on the firewall's hosts.deny-file to disallow any connections from the webserver. (vice versa here again!)
A nice thing to do on the firewall is to answer to ident requests with a RST-Packet. Just send a RST whenever you are queried for port 113.
Something that happend to me, when I was configuring OpenBSD with ipfilter as packet filter is, that I denied all access from the DNS-Server to the Firewall. Which I thought makes sense (and I still think it does). But at that moment, when I tired to login via SSH, it took an aweful long time until I was in. Right you are, the reverse lookup failed. So make sure you either have an entry in the hosts file (and make sure resolv.conf lets you use the hosts file, just delete it). Or make somehow else sure that DNS lookups can be made.
