Make sure that your public web server is not placed
inside your firewall. The public web server should be placed outside of the
firewall, preferably in a so called DMZ (demilitarized zone). The same goes
for the mail server and anything else that you can connect to from the
Internet (it is common to use a proxy for mail
traffic as well, but that is a bit out of scope for this guide).
If your firewall does not include support for a DMZ, you
can create one with two firewalls in serial. The area between your firewalls
is your de-militarized zone.
Ideally you should have a separate DMZ for each
application server that is reachable from the Internet.
Also, consider the DMZ hostile territory. Assume that
anything on the Internet will be able to get in there. Your firewall should
protect your network from the DMZ just as well as it protects it from the
Internet. Don't open up a lot of ports between the DMZ and the corporate