Is this a dedicated database server? Is it a Web server with a back-end database? What kind of data are you processing? There are many more questions that need to be answered before giving a specific recommendation.
Whatever firewall you choose, you should allow only those ports to be open that need to be open. If the public is using just a Web interface, you should only need ports 80 and 443. If you are combining with e-mail, allowing ftp or telnet, or other things, you'll need more things open.
I'd suggest that your database be a separate backend machine with a Web front end. The Web application should proxy all queries, and the DB should make sure any query comes only from the Web application. There are lots of other things you should look into too, so you really should consult with a security professional to discuss your unique situation.
For more information on this topic, visit these other SearchSecurity.com resources:
This was first published in April 2003