If people are looking into creating serious, stand-alone firewalling machines based on Free Software, then I would suggest people consider OpenBSD. The care and feeding of pf, the OpenBSD in-kernel packet ... transmogrifier(?), is much easier to understand and admin than ip-tables IMNSHO.
And I probably don't have to mention that the OpenBSD folks takes security very, very seriously.
For comparison:
Ip-tables tutorial: http://iptables-tutorial.frozentux.net/iptables-tutorial.html
Complete OpenBSD PF documentation: http://www.openbsd.org/faq/pf/index.html
I currently admin 5 OpenBSD based firewalls, and it would take serious kicks from external forces to drive me back to using Linux for this particular application. My main personal DMZ splitter has 33 non-empty lines in the pf.conf file, of which 11 are macro definitions for addresses, networks and interfaces, yet it is configured for default-deny, redirects, 2x NAT, antispoofing, packet priority queueing and renormalisation, statefull/modulating firewalling etc.
