Default deny (aka block all)
Allow access from anywhere to DMZ hosts for certain services
Allow access from local net to DMZ, local net to anywhere port $client_out
Allow access from DMZ to anywhere for some services.
Your task: Test that this works, valid traffic passes.
Test stuff that shouldn't work too, make sure it breaks.