To answer my own post:
> I'm contemplating using proxy arp as an alternative for the filtering
> bridge (which has issues with talking to the bridged network from
> within the LAN). Then, I'll be routing packets instead of bridging
> them, and they will still be subject to the filtering rules. Right?
Ok, this is not going to work either. I can tell the WAN side of
m0n0wall to pretend to "be" (arp-wise) the boxes in the DMZ so any hosts
in the WAN will direct packets for these boxes to m0n0wall, but I cannot
make the DMZ interface of m0n0wall do proxy-arp for the default gateway
in the WAN, so the DMZ boxes can't find their default gateway. This is
only possible if I bridge the DMZ with the WAN. So, proxy-arp cannot be
an alternative to bridging in this situation.
Is the fact that the LAN can't talk to the boxes in the DMZ (when the
DMZ is bridged with the WAN) regarded as a flaw/bug in the FreeBSD
bridging code and, as such, eligible for fixing? I only know that Bruce
said that it would be very hard to fix, but I'm now sure what he meant.
Maybe there is a fundamental reason why this isn't even *supposed* to
work, in which case maybe m0n0wall itself should provide a workaround or