Topic: DMZ Howto

Hi all

i read the DMZ howto but something occured to me. A DMZ is not supposed to have any acces to the LAN (besides the gateway) only to the WAN right ? (http://en.wikipedia.org/wiki/Demilitarized_zone_(computing))
so the iptable rule "iptables -A forwarding_rule -i vlan2 -o br0   -j ACCEPT" should be the other way around "iptables -A forwarding_rule -i br0 -o vlan2   -j ACCEPT" in order to allow acces to the dmz vlan and NOT allow the DMZ vlan to acces the LAN.

In my opinion it should look like this (in the /etc/firewall.user)

WAN=$(nvram get wan_ifname)
LAN=$(nvram get lan_ifname)
DMZ=$(nvram get dmz_ifname)

[...]

iptables -A forwarding_rule -i $DMZ -o $WAN      -j ACCEPT
iptables -A forwarding_rule -i $LAN -o $DMZ   -j ACCEPT
iptables -A forwarding_rule -i $DMZ -i $LAN  -m state --state RELATED,ESTABLISHED -j ACCEPT (not sure about this last one though)

anyway, I am certainly new to this all DMZ/iptables thing so I might have misunderstood.

any comments are welcome.