I just felt I needed to echo everyone else who's saying to keep at least the firewall separate from the rest. A firewall should be locked down as tight as possible where anything that is running services obviously has to have things open.
My personal preference for a "turn an old box in to a firewall" setup is pfSense, which is a FreeBSD-based firewall distro on which I've handled 20mbit constant traffic with shaping and VPN tunnels on nothing more than a 450MHz Pentium II with 256MB RAM. It can run as a live CD too, so you're screw-up proof. Get it working, save the config to a floppy or USB key, remove the media with the config (or write protect it if available) and if anything goes wrong just hit the reset button and wait a few minutes.