On Wed, 09 Feb 2005 01:35:26 -0500, Jesse Guardiani <jesse at wingnet dot net> wrote:
> 
> 
> I've created and tested this setup at least 2 times now. Each config
> takes between an hour and two hours to setup, debug, and test. 

This is why I use the new teams feature in VMware 5 RC.  Makes
replicating this stuff a billion times easier.  A couple clicks and my
test m0n0wall virtual network was setup as needed.

I *could* replicate exactly what you're seeing.  You're not crazy.  ;)
 Antispoofing rules biting us in the ass here as well, though they
shouldn't apply to a bridged setup.

The line doing it is:
block in log quick in lnc2 from !1.1.1.0/24 to any

(1.1.1.0/24 is the subnet of the WAN interface, lnc2 is bridged DMZ interface)

As a work around, add a (fake) static route on the DMZ interface to
the networks behind the bridge that aren't within the WAN subnet.  The
route itself doesn't do anything since it's a bridge, but adding a
route adds exemptions for those networks to the antispoofing rules. 
The reason it was working without an IP on the WAN is because then it
didn't add the antispoofing rules the same way, if at all.

Antispoofing rules shouldn't apply to a bridge though, since you won't
add routes for bridged networks.  I'll send Manuel some better info on
this and hopefully get it resolved in some fashion other than adding
superfluous static routes.

-Chris