Just a quick question: Is a linux box running ipchains or whatever considered an hardware firewall? I thought a hardware firewall would be stuff from cisco or Nokia. Dedicated hardware that can run nothing else. A PC running linux+ipchains or Windows NT+Checkpoint would be a software firewall. Am I right or did I miss something?

And as to how to secure it. It all depends on your policy and there are 2 ways to go about it.

a) allow everything and only block what you really don't want.
This will make it easy to configure (allow any any), users can do almost everything. If you want to do something new, nothing needs to change and it will probably run on the first try. But you need to keep an eye on new vulnerabilities because everything is basicly allowed.

b) allow nothing and only open what you need.
This is also easy to configure at first (block any any) but needs changes if you want something new to go through the firewall. This can be very tricky to setup if you need to run all sorts of stuff through the firewall.

Both have their pros and cons so it all depends on your policy. Same thing with the backup. If your policy dictates the firewall must be up for 99.999% of the time, you will definitely need something like a hot-standby or some load balancing (make sure 1 firewall can handle all your traffic if you go for the load balancing).

In short make a policy and configure your firewall based on this policy.