Oh, and just to add to the confusion:

I also have anti-IP-address-spoofing enabled in the kernel. This was also getting in the way , because my PPPoE DSL modem (the new external IP connection) loops internally to eth2. If I turn on the spoofing filter for eth2, this then prevents the LAN clients from talking with the external IPs of the firewall machine.

This led to the following kernel settings:
Code:

---

# Enable(1) IP spoofing filters

for nic in /proc/sys/net/ipv4/conf/* ; do

        echo 0 > $nic/accept_source_route       # disabled source routed packets

        echo 1 > $nic/rp_filter                 # prevent IP spoofing

done

echo 0 >/proc/sys/net/ipv4/conf/all/rp_filter           # The DSL nic *must* allow spoofing

echo 0 >/proc/sys/net/ipv4/conf/${DSL_NIC}/rp_filter    # The DSL nic *must* allow spoofing

---

Note that the last two lines were only necessary, because I have a non-zero IP address assigned to the ${DSL_NIC} (eth2), so that I can access the management interface of the DSL modem itself. If instead I used 0.0.0.0 as the IP address (etc..), then I don't thing the spoofing filter would have cared.

Whew!