I *believe* that my problem is a routing issue and not a filters issue.

I have a /25 network.  I've set aside a /29 of it as a DMZ.

I can reach the outside world from the DMZ (as allowed by rules), and I 
can reach the LAN from the DMZ (as allowed by some rules).  I can reach 
the DMZ from the LAN (as allowed by some temporary testing rules).  I 
cannot reach the DMZ from the WAN, even though I've opened up rules.

I do not think that I have a problem with rules for two reasons.  
Nothing is being logged as being blocked by any rules.  Also traceroute 
and lft (level four traceroute) all stop before I reach the m0n0wall.

xxx.xxx.xxx.1 is the ISP provided router (a cisco 1721) and 
xxx.xxx.xxx.2 is the WAN of the m0n0wall.  The LAN side of the m0n0wall 
is 192.168.2.254 The DMZ of the m0n0 is xxx.xxx.xxx.8/29.

I have a machine set up at xxx.xxx.xxx.9 using .8 as its default 
router.  Again, it can reach both WAN and LAN, and LAN can reach it, 
but WAN can't reach it.  A traceroute from the WAN gets only as far as 
the Cisco 1721.  Nothing reaches the m0n0wall,  Is my problem that I've 
made the DMZ a subnet of my net?  Should I make it a private network?  
Any other ideas?  I'm grasping at staws.

-j
-- 
Jeffrey Goldberg                        http://www.goldmark.org/jeff/