If you've got a bit of unix nouse there, then you could try OpenBSD.
The stateful packet filter in it is pretty awesome. It won't do packet
inspection though like FW1 and friends can do (eg. that looks like a
packet from worm X, I'll drop it). However if you want to roll your
sleeves up a bit take a look at Hogwash. It is a bit of software that
uses the Snort IDS engine to inspect packets in realtime and can do
clever things (eg. We are being port scanned by X lets drop all of their
packets). It can be setup as a bridging firewall too, ie just plug it
inline on your ethernet, you don't need to setup IP addresses etc.


