how does firewall work to protect other machines

Let say i got 10 public IPs
1 router
2 swithch
1 firewall with NAT
1 reverse proxy
3 webservers
2 dns (pri and sec)

what should IP assign to those machines?
I have no experience how to set that.
How does a firewall work (i dont' mean how to setup a firewall, i know iptables) to protect the other machines? Firewall got all public IPs ?

I don't actually know how to figure it out.

someone help? or any information on how to connect these equipment together?
thank you.

I would set the external IP addresses to the most external interface. Keep everything internal with internal addresses, like 192.168.0.x. Then use the NAT on the firewall to make it seem as though requests inside the internal network are coming from the external IP address.

What do you actually want to do with 10 IP addresses?

If you have a router, this probably has everything built into it. I would have thought that it has a firewall built in (so you don't need to buy an extra firewall). You just plug your router into one of your switches and the external Internet inferface and set it up through the web based admin.

You say you've got two switches. You can connect these two together using a standard cable, plugged from the uplink port in one to the standard port in the other.

For your webservers, you'll want to setup port forwarding. On your firewall, configure it to enable port forwarding, so that all requests for port 80 are forwarded to your internal web servers.

Edwinbrains is explaining how this would work in like a home network or very small office using a single public address with a single server for each port that gets accessed from the outside (port forwarding).

Here is how it would work if you are using corporate level equipment such as cisco, 3com, bay, etc.

Some routers can be purchased for extra cost with a firewall IOS but come without it normaly. so your router would have the first public on the outside interface and the second public on the inside interface going to firewall (let say PIX) the PIX would use the 3rd public address on its outside interface and a forth public on the global ( this would be what your addresses on the inside would be tranlated to using PAT (port address translation)) now you have your infrastructure down now you will use a fifth public as a secondary ip address on the PIX outside and have static NAT to reverse proxies private address which will talk to the 3 webservers it is proxing for on their private address ( this way the web server has its own public address and its own ACLs apposed to just using port forwarding on a single public, which if you had multiple web servers and not using a reverse proxy then each would need their own public address (static NAT entry creating additional public addresses on the outside PIX interface) as port forwarding can only go to one server). The internal users would have their own public using PAT (PAT is actualy a form of NAT that translates multiple IPs to one IP but each using a different port, NAT can be static or dynamic and is a one-to-one translation).

Everything else in your network would use private addresses. only use public addresses in a static NAT scenario for your servers and such so you can firewall. NAT alone gives no firewalling ability.

Thank you all.
how about DNS?

What about DNS? your internal DNS servers would have private addresses and would be set to forward any request it can not accomodate to your ISPs DNS server or the root DNS servers, you do not want to give it a public unless you want everyone on the internet to use it.

I suppose I should have guessed from the equipment that it wasn't a home or small office setup, shouldn't I?

Yea the 3 web servers sitting behind a reverse proxy tells me he is planning on getting alot of traffic and needs redundency also like a round-robin deals for the servers to keep them 24/7.

Perhaps I should stop writing and start reading a bit more