Yeah, I found that out.
OK, so how can I define 'any external address'? Or 'any address via eth0'?
In shorewall I had a Zone called 'net'
I suppose I could put a DENY rule on the internal firewall for the DMZ subnet, but that's a big fudgy.
And it doesn't protect any of the other subnets on the external firewall.
I can't create on object with all of my internal subnets and use it for an inverse match because you can't have overlapping objects and I've already defined some single IP objects for the various servers.
Thanks,
Jim.