1.3.2

1.3.2  ::  Limit inbound Internet traffic to IP addresses within the DMZ.

This means to not use iptables to NAT public IPs to internal hosts outside of the DMZ.  If you do this – it creates a direct socket to the application from the internet, which is bad.