Hello,
I have a Draytek router for the internet. eBox is sitting inside my LAN. There is only 1 interface, wich is internal (so WAN is not selected).
I've set up my Draytek to put eBox as DMZ. All traffic is send to the eBox. I noticed that all my services/firewall rules are available from external networks, like the eBox remote admin page (port 443). In eBox, there is a rule specified that only internal network can access the remote admin page (port 443). I think this is because my router forwards to the eBox, looking like it's comming from the internal network, and exposing it to the whole world.