I'm sure it's possible. The right way? Not sure.
I believe it's the general case that linux webservers don't sit behind a firewall. You firewall and secure the box itself; linux is built ready for this stuff.
For example,you'll tell the linux kernel to drop all traffic not on port 80 (though you'll probably need more than port 80 - you need a port open to logon at least, and maybe one for DNS. And port 443 if you're doing SSL, and so on, but yeah, lock everything not being used).
More importantly, when you set up a new server get a list of all active and running processes. Review each one and if it's not required, turn it off.
The only time I've had my webserver behind a firewall, it was a pain, not a help.
I don't think this is a bottleneck either. Again, linux has this firewalling built right into the kernel. It's built for this.
I'd also question the need for a second DB server. Yes, folks do this,but do it only after you have the volume to require it. I don't think the setup is hard, you tell the database server and software to accept external queries in the config file, then open up a backend port on the apache server to talk to the database server. Personally, I would at least consider at that point going to some sort of VM solution where two computers run in parallel, then splitting the tasks (i.e. two identical computers running at once each handling half th eload, rather than two computers running seperate services).
In any regard, I would first ask the question if any of this is absolutely necessary. If it's not, you're in for an awful pile more work than just setting up a regular old webserver with a database running right on it. And I think you'll be surprised at the load that an apache/mysql webserver will handle. Hundreds of hits a second sustained I bet, if I had to guess.