List people,

Can somebody please explain to me the m0n0wall internal model in case 
the DMZ is bridged with the WAN? I'm obviously missing something.

Let me show you what I have in terms of how I understand it (and I think 
there's probably an error in my understanding, so please point it out to 
me!):

WAN interface sits in net 123.34.1/24, bridged with DMZ interface. I' 
moving servers from the WAN to the DMZ (to subject them to the DMZ 
filtering rules for outgoing and the WAN filtering rules for incoming 
connections; that part works fine!).

LAN is 192.168.1/24 (straightforward NAT into 123.45.1/24, where the 
m0n0wall sits on 123.45.1.2).

Firewall rules for all interfaces (DMZ, LAN, and WAN) essentially allow 
all traffic to the entire 123.45.1/24 net.

I always imagined that as follows (and the model worked until I tried to 
access services in the DMZ):


   123.34.1/24:    DMZ--rules>--[bridge]-----------+--<rules--WAN
                                                   | 

                                                   | 

   192.168.1/24:   LAN--rules>--[NAT>--123.45.1.2--+


Now if I have a server 123.45.1.3 and I put it in the WAN I can connect 
to it from both LAN and DMZ fine, but as soon as I put it in the DMZ I 
cannot connect to it from the LAN anymore. Connecting from WAN is, as 
expected, no problem.

Apparently there is not really a single 123.45.1/24 with a filtering 
bridge in the middle, because, while the bridge behaves as expected, 
there's something odd with the way 123.45.1.2 (with the LAN netted 
behind it) sits in that network. That part behaves asymmetrically 
towards DMZ and WAN.

What's the real story?

--Bart