I am setting up a Firewall/Proxy server for our church. Proxy is to provide a limited amount of web filtering. The two people who help me have very little to no experience with Linux of any kind so I am trying to set these up with a GUI interface available (will boot run level 3) for them. I admin AIX but also use SuSE and Red Hat. My questions are:
A) Which type of Linux will best meet these requirements. I am not limited to the above types. I am looking for simple and easy to install and easy for those helping me to manage.
B) With limited exposure is there any extreme risk to not do both the firewall and proxy on the same server.
C) I plan to use iptables for firewall. Suggestions for a good GUI interface to this?
D) I plan to use DansGuardian for the proxy. Thoughts/suggestions/am I crazy for doing this?

Thanks in advance for the help.

Given the fact you have others involved with little/no linux experience it might be wise to use a mini-distro specifically designed to provide these services, instead.

WebGUI-based administration, relatively easy proxy configuration, and the ability to perform a complete restoration from backup in the event of hardware failure are all possible with many of these distro's.

IPCop (http://ipcop.sourceforge.net) is one of the most popular and easiest-to-use freely-available linux-based firewall distro's. It's a very reliable and stable iptables-based solution, and can be configured to work with DansGuardian as well. It's a great setup--I really recommend you check it out.

I was a long-time IPCop user, but now implement a few other solutions in clients' offices, depending on their requirements.

pfSense (http://www.pfsense.org) is a FreeBSD-based firewall platform which is a fork of the m0n0wall project. It provides some pretty advanced features, including failover between multiple machines, and the ability to run from a bootable CD with a configuration saved on a USB key (great for non-proxy setups where no real HD is needed). It uses pf (the *BSD packet filter) instead of iptables, but you would not notice this as it's also WebGUI-based and you really don't need to use the command line past the initial configuration/installation. It provides a bit more advanced options in comparison to IPCop, but most would be out of place in a small environment anyway, and might only add complexity, anyway.

dd-wrt (http://www.dd-wrt.com) is a great platform for installing on a lot of mainstream wireless router hardware--it's a replacement firmware which provides much of what IPCop and pfSense provide. Since it's mainly intended to be used on diskless router hardware, and would require the purchase of additional equipment, it's probably not the best choice if you're working with limited funds and existing equipment.

Since you're planning on running a basic proxy with limited filtering, you definitely want to use a machine with a hard drive (not running from a USB key or compact flash card), regardless of which solution you chose. I would recommend at least a Pentium 3-class machine with 128 MB of RAM or more, and 540 MB HD or larger. If you're planning on having more than a few active clients at a time I definitely would go for more RAM.

Naturally, you will need two NIC's in the box, as well...

To answer your other question, with limited exposure, you're not necessarily exponentially increasing your risk in running both firewall and proxy services on the same box. In theory, though, the risk will be greater -- but ask yourself how much worse things would be if the church was not going to install a firewall at all (especially if the clients are Windows machines).

If you have the hardware, you certainly could setup one box to provide firewall services, and another to receive all requests for web traffic for proxy/filter services, but that can bet complicated fairly quickly.

There's a bunch of other options out there, too, but the above are the ones I've had a lot of experience using, and feel are good solutions.

Overall, I really would recommend you try IPCop and see what you think of it. There's a fairly active community around it (http://www.ipcops.com), and it's probably going to be the easiest one for you both to get running and have others assist in maintaining.

Hope this helps. Sorry for all the text...

Good advice and seconded.

I have used Smoothwall (http://www.smoothwall.org/) which is a fairly simple firewall/gateway that is dedicated and does not require much hardware wise to run.

It has a nice gui interface and is generally run from a web interface.