Forum OpenACS Q&A: Response to Help! no SSH Telnet Access
Not to be a shmuck, but if I have to patch the kernel then it is not in the offical tested distribution of the kernel and I introduce more risk that something else will break.
If you want to build a stateful firewall my personal favorate is freebsd and ipfilter. OpenBSD probably has a slightly more hardened default install. But I do not trust ther ipfilter replacement(packet filter) yet, its too new for me to use in production.