I recommend you check out this thread in the DSLR security forum: http://www.dslreports.com/forum/remark,3811047~root=security,1~mode=flat #3811047
If you have any questions after viewing that, let me know. In short though, I suggest not using public IP's for your DMZ and/or Intranet. If you are using Linux's 2.4 kernel and IPTABLES you can easily implement NAT and have private address ranges for those networks. This way, NAT stops all incoming requests from your DMZ to your internal network just as it stops all incoming requests from the Internet to your DMZ. They key is having to specifically allow those connections in, which is favorable to having them going by default. When you combine this with solid packet filtering you are heading down the right path. I strongly suggest Astaro for you also. The sheer number of features in that product is mind boggling. http://www.astaro.com Again, let me know if you have any other questions. I will try to help if I can.
