Has the "local nat" patch (see the Linux netfilter mailing list archives) been applied to the kernel in ASL 3.2, I wonder? It will enable access to a DMZ web server via a firewall with transparent http proxy turned on without needing a nameserver on the inside.
