There are lots of ways to structure your network to protect your systems using a firewall.
If you have a dedicated connections to the Internet through a router, you could plug the router directly into your firewall system. Or, you could go through a hub to provide for full access servers outside your firewall.
You could setup some hard filtering rules in the router. However, this router may be owned by your ISP so you may not have control. You can ask your ISP to put in filters.
________ __________
_/\__/\_ | Router | | | _______________
| | | No | (DMZ) | Firewall | (LAN) | |
/ Internet \----|Filters |--(HUB)--| System |--(HUB)--| Workstation/s |
\_ _ _ _/ |________| | |__________| |_______________|
\/ \/ \/ |
(Outside)
(Server)
You may be using a dialup service like an ISDN line. In this case you might use a third network card to provide provide a filtered DMZ. This gives you full control over your Internet services and still separates them from your regular network.
__________
_/\__/\_ | | _______________
| | | Firewall | (LAN) | |
/ Internet \----| System |--(HUB)--| Workstation/s |
\_ _ _ _/ |__________| |_______________|
\/ \/ \/ |
(DMZ)
(HUB)
If you are not providing Internet services yourself but you do want to monitor where your users are going, you will want to use a proxy server. This can be integrated with the firewall.
__________
_/\__/\_ | Proxy / | _______________
| | | Firewall | (LAN) | |
/ Internet \----| System |--(HUB)--| Workstation/s |
\_ _ _ _/ |__________| |_______________|
\/ \/ \/
You can put the proxy server on your LAN as will. In this case the firewall should have rules to only allow the proxy server to connect to the Internet for the services it is providing. This way the users can get to the Internet only through the proxy.
__________
_/\__/\_ | | _______________
| | | Firewall | (LAN) | |
/ Internet \----| System |--(HUB)--| Workstation/s |
\_ _ _ _/ |__________| | |_______________|
\/ \/ \/ | ______________
| | |
+----| Proxy Server |
|______________|
If you are going to run a service like YAHOO or maybe SlashDot you may want to make your system by using redundant routers and firewalls. (Check out the High Availability HowTo.)
By using a round-robin DNS techniques or using load-balancing application servers, you can create a 100% uptime service.
_/\__/\_ _/\__/\_
| | | |
/ ISP #1 \______ (WAN)_____/ Partners \
\_ _ _ _/ | (HUB) \_ _ _ _/
\/ \/ \/ | ___|____ \/ \/ \/
__|___ |_______ |
_/\__/\_ |_____ | | || ______
| | | || (DMZ) |Firewall|| (LAN) | |
/ ISP #2 \--|Router||--(HUB)--| System ||--(HUB)--| WS/s |
\_ _ _ _/ |______| | |________| | |______|
\/ \/ \/ | | | ______
(Outside) (Shared) | | |
(Server) (Server) +----|Proxy |
|______|
It is easy to let your network get out of hand. Keep control of every connection. It only takes a user with a modem to compromise your LAN.