Topic: DMZ Howto
i read the DMZ howto but something occured to me. A DMZ is not supposed to have any acces to the LAN (besides the gateway) only to the WAN right ? (http://en.wikipedia.org/wiki/Demilitarized_zone_(computing))
so the iptable rule "iptables -A forwarding_rule -i vlan2 -o br0 -j ACCEPT" should be the other way around "iptables -A forwarding_rule -i br0 -o vlan2 -j ACCEPT" in order to allow acces to the dmz vlan and NOT allow the DMZ vlan to acces the LAN.
In my opinion it should look like this (in the /etc/firewall.user)
WAN=$(nvram get wan_ifname)
LAN=$(nvram get lan_ifname)
DMZ=$(nvram get dmz_ifname)
iptables -A forwarding_rule -i $DMZ -o $WAN -j ACCEPT
iptables -A forwarding_rule -i $LAN -o $DMZ -j ACCEPT
iptables -A forwarding_rule -i $DMZ -i $LAN -m state --state RELATED,ESTABLISHED -j ACCEPT (not sure about this last one though)
anyway, I am certainly new to this all DMZ/iptables thing so I might have misunderstood.
any comments are welcome.