Here's the scenario. We have 20 different sites in North America. All these sites are attached to us via frame relay network. They all use our site for internet access, and their local email servers use ours as an SMTP gateway. Thats about all the access they should need. The other day I was running Ethereal on my machine, and noticed a client machine from one of our sites browsing through all my shares...very systematically....kinda like a virus propagating through shares? Anyway....

I'd like to set up a firewall right between our internal router and LAN to prevent other sites' clients from accessing our LAN here.

Question 1: Considering cost is an issue, what product should I use in this instance? I was leaning toward RH Linux's IPTables, but that's simply because I'm not sure of another cheap easy solution. A Stateful FW would be nice, but I might just have to settle for a packet filtering device.
Access-Lists on the Cisco router are out since we'd have to be able to take the firewall out of production in case there are internal communication problems, and restablish communication with the WAN in minutes.

Question 2: I'm pretty new to *nix, so I'm not sure about this question at all. In Windows, a multi-home machine needs its NICs to have IPs on two different subnets (at least I'm pretty sure of this).
How would I set up a multi-homed (two-NIC) firewall/packet filter with both IPs needing to be the same subnet?
Is it even possible to have the router send packets to the FW, and then have the FW forward these packets to the LAN? Would it also be possible for the LAN to use the FW as its gateway, and have the FW forward these packets to the router?

Essentially, how does one set up an internal Firewall that needs to have both IP's on the same subnet? Maybe this is a simple concept with a simple solution.

Router(10.10.10.1)--> <--FW External(10.10.10.2)<forwarding>FW internal(10.10.10.3)--><-- Internal LAN (10.10.10.x)

Either way, any ideas would be greatly appreciated!