My current setup is a DSL modem/router, that's got wifi and stuff turned on. What I'd like to do is have a linux based firewall, directly connected to the internet(like through the modem, w/out NAT happening), then set up a router behind the firewall, internally. Is there a way to do this? Or do I need to have the firewall set to 192.168.x.x behind the modem, and then the internal NIC on this firewall be on the 10.x.x.x? Is it possible for the modem to just allow everything through, and have the external ip of the firewall be the one that our ISP gives us?

It's the modem/router that's the problem, right? Because it's actually two devices, the modem and the router. It sounds like you just want the modem function to work straight through to the linux firewall. You'd have to take this up with the device. I'm pretty sure this can't be done with my Netgear box, but maybe yours is different.

Can you afford another DSL modem (without a router)? Maybe this could be an internal PCI card? Then you could put that up front, then the firewall, then the old modem/router which you would be using as a switch and wireless access point (as long as it was happy in that role - it might demand a particular IP address for instance, or get upset that it wasn't connected directly to the internet).

It's an actiontec DSL modem/Router. I don't know about another modem, how much would that cost? We've got enough router's here that finding one wouldn't be a problem. I've looked at all the options, the only one that remotely looked like it'd work, is that you could turn off NAT, but then you have to set your own ip. Could I use NAT twice?

This is beyond me now, I'm sorry. I use our modem/router as the LAN firewall, because I'm still a bit prone to killing the server while messing about and don't understand routing enough to think I could do a better job than the hardware firewall. I'm sure there is plenty out there on this topic.

Does anyone else have another suggestion? I was going to use IPCop for the firewall, so as not to have to deal with all of that stuff, but if it's not possible, I don't know what I'm gonna end up doing...

My ADSL modem allows exactly this. It does the PPPoE thing and lets public IP thru (Siemens SpeedStream 4100). I'm running a FBSD box as firewall/router/webserver right after modem. It also does NAT and I do not have any additional routers on my net, only a switch. This is most flexible and reliable setup I could think of. I got pissed off when my Linksys router crashed regularly under load (overheating?)
In case your modem does not have this option you have to set in bridge mode and do PPPoE in your Linux firewall.

what does bridge mode mean? My router is currently set to get it's IP from PPoA, but there's a way to set it to Transparent Bridging (RFC1483 Bridged), is that what you mean?

Yes it is. See your modem manual before you switch it into bridge mode, make sure you know how to swich it back. In this mode you probably cannot access it any more over web interface.

oh, well that's not good. I'll have to check and get back to you. Is there a way to do it without bridging?

As I wrote, my modem can do it. If yours does not have this capability bridge mode is the only way.

how do PPPoA and PPPoE differ? Is there some reason linux won't support PPPoA? I know it can do PPPoE, but I've never heard of PPPoA until I started looking into this.

Same here
Found this one:PPPoA Architecture

You are possibly over-complicating this. Most of these modem/routers have basic firewall options which can be set or disabled as you desire. Thereafter it's purely a question of forwarding requests for a speicific port eg 80 for http. If you wish to add a more complex firewall such as ipcop then do so at this point. I run my own system like this. It is ideal because you can tune the firewall to filter out specific traffic

right, but then IPCop does NAT again, which means the addresses would be double translated. My router won't to static routing, and there's no way(as far as I know) to set the range of ip addresses, so I don't think I could set up a static IP, w/out having address conflicts. I can check again, but I'm pretty sure there's not an easy way to do this

Here is how it works; The modem/router NAT's the public address from the public ip-address given to a private address eg 192.168.1.0/24. The network card (eth0) on your router/firewall (ipcop) is set to pick up a lease from the modem router in this range. You assign an address on a different subnet to eth1 on the ipcop box eg 192.168.0.1. You can then assign addresses in this range to all the boxes attached to ipcop. If for example you have a box with the apache server at 192.168.0.2 then tell the modem/router to forward all requests for port 80 to 192.168.0.2. The ipcop box should be configured to allow requests on port 80 through.
In my setup my modem/router uses addresses in the range 10.0.0.0/16 and I have set an address of 10.0.0.10 to eth0. The gateway for my router box is the modem/router address 10.0.0.2 and then boxes behind the router box is the ip-address of eth1.