I’ve made some sense of your Global Rules, as you initially posted them. I’ve not tried to follow up on changes since.
What follows is based on the appearance that the PS3 needs to be a DMZ host. If that’s not true, then the following is good for a fright, and that’s about it.
For the PS3 to appear as a DMZ host, it means there can’t be any Global Rules. All traffic has to pass, and the ICS host is providing network address translation.
This is kind of security insanity. But it seems it’s the only way for the PS3 to be contacted by direct connection from the Internet, just like a DMZ host would be accessible. And it means that you have absolutely got to lock down your ICS host, and your LAN hosts.
Because the PS3 isn’t running any kind of application on your ICS host, you’ll need CFP to have Application Rules to do the lock down of the ICS host. If you aren’t careful, then your ICS host will get compromised. Those network probes will likely find something on the next round of Microsoft patches this month or next month or whenever. It makes for a fragile security model on your ICS host, that may take a lot of continuing tinkering.
All other LAN PC’s will need to be armored, just like they’re exposed to the Internet. Because they are. The only thing the ICS host is providing, is network address translation, and maybe LAN-wide boot time DHCP services.
The alternative to this, is a router/NAT box. I’m much more comfortable with this, as it is more robust against mistakes. The LAN configuration goes like this:
Internet – bridge – router/NAT ±---- ICS host ----- other PCs
+
±-- PS3 as a DMZ host from the router
This way the ICS host is providing front end security to the other LAN PC’s and is itself protected from the Internet. CFP running on the ICS host can actually protect things in this setup.