Reasons for using an external firewall

["John P" <john () pmbbs demon co uk>]

I am about to set up two servers (one web, one DB) colocated in a
datacentre.

Both will be Linux or BSD boxes (haven't decided yet!) running Apache,
MySQL, DNS (bind/djbdns) and SMTP (probably qmail).

Previous networks I've set up have always been using NAT or similar, so
necessitating a dedicated firewall/NAT device which has usually been a linux
box.

However in this setup, how much extra protection can an external firewall
give? The machines have to have open ports portforwarded through any
firewall (80/25/etc) and I assume would remain exploitable to buffer
overflows, bug exploits etc. I could restrict access to the other open
system ports and services by turning them off, using ipchains/ipfilter and
hosts.deny etc. DoS situations would be difficult to protect against even
with an external firewall.

What extra security will an external firewall actually provide? I suppose
other nice features like VPN, etc, but what else? It's quite a busy site, so
could ipfilter generate quite a lot of load, which could be shifted onto a
dedicated firewall?

Any tips or suggestions appreciated!

Cheers
John