Specific question for securing home server/firewall

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Almost 2 years ago, I decided I didn't have time to exercise the needed
due diligence to keep my Linux firewall/server (internal services) live
on the Internet any more, so I bought a router appliance.  (Netgear
FR114P) Thought I used to allow ssh and imaps incoming, since getting
the Netgear I haven't allowed any incoming ports.

It's getting inconvenient.  I want to be able to access my stuff when
away.  My present wish is to set up with OpenVPN, and get all access
through that.  Besides, my ISP sez, "No services of any kind, not even
for your own remote use," but they specifically allow VPNs.

So I'm preparing, getting things locked down and nailed down, better.
Here's my topology:
+-------+   +---------+     +--------+     +-----------+
| Cable |---| Netgear |--+--| Main   |--+--| Desktop 1 |
| Modem |   | Router  |  |  | Server |  |  +-----------+
+-------+   +---------+  |  +--------+  |
                         |              |  +-----------+
                         |  +--------+  +--| Desktop 2 |
                         +--| Old    |  |  +-----------+
                            | Server |  |
                            +--------+  |  +-----------+
                                        +--| Laptop    |
                                        |  +-----------+
                                   (Extra Ports)
My main server is routing all Internet traffic, and is destined to
become a secondary firewall, which is where these questions come from,
running "netstat -tupln" and trying to get it all locked down.

1:  It looks like ntpd is listening everywhere it possibly can, on
loopback, both IPs, and even  I've been through TFM, though I
must admit that TFM is so doggonne big because of all of the time
theory, and I can't figure out how to keep it on my internal LAN only.
What's worse is that in spite of RTFM and playing with permissions every
few months as time allows, my other systems still can't use it for time,
and end up going out to pool.ntp.org for it.  I've had it working on the
old server, and one of these days I'll have time to get it going, again.

2:  Don't think this is a real problem.  My dhcp server says it's
listening on, even though it's bound to my internal LAN
interface.  I believe all is working right, it's just the nature of the
beast that it looks odd.
2a: Similarly, named shows a udp port at ISTR that this
is perfectly normal. (I believe I've disabled zone transfers, but still
forward requests to my ISP.)

3:  I receive mail and logs from the Router and the Old Server, so the
syslogger is bound to and Postfix is bound to both internal
LAN and "DMZ" (not really a DMZ, but...)  interfaces.  This is the
complex question.  I think I'd like to restrict both of these to my
internal LAN, then use iptables rules to grab the acceptable connections
from the DMZ IF and forward/redirect/DNAT (which one?)  them to the
inside ports.

I know that I could just run the servers on the DMZ, and configure and
firewall the ports, but I'd like to do better.  I'd like to have NOTHING
but OpenVPN listening on the DMZ side, and have a system that is
essentially safe without a firewall.  Then add the firewall for extra
safety, and to get the log/mail functionality back for a few systems on
my DMZ.

Suggestions welcome, and thanks,
Dale Pontius

Site Timeline