Hi

Your use-cases look ok.

If you're using a L7 firewall, i would filter based on application as much as possible and avoid using ports whenever it's possible. This will helps tweaking what traffic is really allowed because 1 port can transport multiple applications.

DMZ1 accesses internet, this is good but you might want to implement some additional security feature like IPS, Threat, URL filtering and limit what applications/ports are allowed. You don't want to have a wide open rules from dmz to internet.

DMZ2 won't have internet access but you might want to have specific accesses for updates (OSA, Packages...)

You should also allow inside users to internet. If you don't have any proxy, you'll leverage you're L7 firewall features or use a proxy if you have any so the proxy server will be the only one accessing internet.

You night want to have some rules between dmz1 to dmz2 (app/port specific rules) because your webserver might have its database located into dmz2 zone.

From outside to inside, sure you definitely want to drop the traffic except vpn. However you don't want your vpn users to access anything on the inside to any ports, you want to limit those accesses.

If you don't know the flow, you will open a larger rule, analyse the traffic and then restrict these accesses so you'll be able to enforce your security without impacting too much the business. I say too much because for sure when you're enforcing the security, you'll impact something even if it'll be something not important. The goal is to analyse so you can build yours rules in secure way.

Hope that clarifies a bit your question.