@McMurphy:
How can I config the DMZ fw rules to allows the subnet to access the wan and nothing else?
To get this, you will need at least 2 rules.
First you need a block rule on DMZ interface blocking any protocol from source "DMZ net" to dest. "This firewall".
At second create a pass rule, set the protocol to meet your needs, set source to "DMZ net" and at destination check "Invert match." and enter "LAN net".
Instead of LAN net it is a good choice to add an alias containing all RFC 1918 subnets and enter it the rule at dest. So you will not have to edit this rule if you add further internal subnets.
Remember that the DMZ devices also need to access a DNS service. If this is running on your firewall or in the LAN you will also have to add an additional rule to permit this.