Instead of using RedHat's old tools, I prefer to use more advanced tools such as
Shorewall.
The nice thing about these tools is that they quickly enable you to describe the security-configuration that you want, and then
the tool will issue the appropriate
iptables commands to implement it correctly.
It's simply a way to build a more-than-trivial firewall configuration quickly and accurately. It's a lot more sophisticated than some of the tools that are normally supplied with "distros."
Around here, we always use firewalls
in addition to whatever firewall may be built into the routers. The outermost router filters some stuff,
and each internal router filters the stuff passing through it,
and each and every computer filters all of the stuff coming in
or out. Recently we also finished rolling-out VPN throughout our
internal network, so that all of the computers now talk
among themselves in cipher.