As mentioned in my other posts, I run a stand-alone FC-5 box. It's located in the DMZ area on a spur of a large network.

I'm thinking of obtaining a small router/firewall of some kind and adding it as a security measure. I would assign it my static IP, and have it forward requests bound for ports 80, 22, and 25 to the server. (Those are the only 3 that I want open to the outside world.)

Question. Do you see any advantages or disadvantages to a scheme like that? One advantage I see is that by adding a hardware firewall, it would make absolutely sure only those ports were open. Any drawbacks?

It's kind of double insurance and does work. I have a firewall on my adsl/modem router and a separate more sophisticated one on the server. The router firewall does a very good job and I can then fine tune exclusions such a s abusive ip addresses on the server firewall.

Which model do you recommend for me and how much can I expect to pay? Remember, all I need is a basic firewall device that will prevent banned IP's from reaching the box. There will be only one machine (the server) attached.

Preferably something with an easy-to-use terminal program that will let me type in those addresses via remote access.

One solution would be an old laptop with a couple of pcmcia nics. This would give you a full-blown Linux system (much more flexible than the firmware in a router), a built-in UPS etc. A 486 would suffice, the only snag would be getting sufficient ram (4mb would be tight (but usable with some tweaking), 8mb would be doable, 12mb should be very comfortable, any more than 16mb would probably be overkill for a small dedicated firewall). Should be cheaper than a hardware router too.

Following on ioerror there is a Linux based version available called coyotelinux that would do this very well on 486 + boxes.