BTW , Linux also has access levels and immutable bits, and lots of other stuff such as random PIDS, random icmp sequences and etc. You just have to know where to get the patches.
Not to be a shmuck, but if I have to patch the kernel then it is not in the offical tested distribution of the kernel and I introduce more risk that something else will break.
If you want to build a stateful firewall my personal favorate is freebsd and ipfilter. OpenBSD probably has a slightly more hardened default install. But I do not trust ther ipfilter replacement(packet filter) yet, its too new for me to use in production.
