so it turns out I wasn't blocking 1e100.net; I didn't have the rules in the right order. then when I fixed that, it started connecting to another 1e100.net block, 173.194/16. blocked that, and now I can't reach gmail at all. I guess I just have to treat that as being Google.

