I have a block of 8 IP addresses supplied by my ISP, but no control over my WAN router (it's an ADSL line), and I wanted to subnet it with ASL to provide myself a DMZ. I used ASL's proxy-arp feature on the internet facing interface to split my address range in two and so far this appears to have worked (mostly). The machine I have in the DMZ can be contacted from the outside world, the firewall itself, and my internal, NAT'd network. So far so good.
The problem is that whenever I want to get connections out of the machine in the DMZ, ASL's IP-SPOOFING rule drops the packets! This means my DMZ machine can't even contact the firewall's DNS proxy for host lookups :-(
Quote