You're pretty much covered with these post, I would just add one thing. Put the firewall and the apache server on seperate boxes if you have the budget. That way your firewall doesn't have programs (vulnerabilities) running that aren't necessary to firewall operations. It doesn't take much CPU firepower for a little ipfilter (etc) box. No Gnome, no xwidows just a firewall.