I'm unclear about the firewall functionality on 1.32:
It says, and I think I do understand, "Rules are evaluated on a 
first-match basis (i.e. the action of the first rule to match a packet 
will be executed). This means that if you use block rules, you'll have 
to pay attention to the rule order. Everything that isn't explicitly 
passed is blocked by default."

So, in order to block my DMZ (172.16.1.0/24) properly, I need to allow 
'all', and then gradually remove the other networks. (I had discussed 
earlier, that unfortunately, there is no way to allow WAN instead.)
This works.

In order, however, to access the DNS proxy on m0n0wall (172.16.1.200), I 
need to open it up for TCP/UDP on port 53. This is what I do. And I do 
it before I block access to m0n0wall from the DMZ.

# User-defined rules follow
pass in quick proto tcp from any to 172.16.1.100 port = 80 keep state group 200
pass in quick proto tcp from any to 172.16.1.100 port = 25 keep state group 200
pass in quick proto tcp from any to 172.16.1.100 port = 22 keep state group 200
pass in quick from 192.168.116.0/24 to any keep state group 400
block in quick from any to 192.168.1.0/24 group 300
block in quick from any to 192.168.116.0/24 group 300
pass in quick proto tcp/udp from 172.16.1.0/24 port = 53 to 172.16.1.200 port = 53 keep state group
300
block in quick from 172.16.1.0/24 to 172.16.1.0/24 group 300
block in quick from any to 10.10.10.0/24 group 300
pass in quick from 172.16.1.0/24 to any keep state group 300
pass in quick from 192.168.1.0/24 to any keep state group 100

But it doesn't do what I expected. It blocks DNS-requests just the same. 
DNS does work though, once I remove the line following the one that 
opens port 53 ("block in quick from 172.16.1.0/24 to 172.16.1.0/24 group 
300"). Following the logic of the statement above, the first line hit 
should open port(s) 53.

Where is my mistake?

Uwe