Or, you could always take the hardcore geek approach, and get one of the *BSDs, and learn how to recompile the kernel for ipfw or ipfilter support, and how to do manipulate the related config files.
See
for an intro. And
I wouldn't recommend the "home-grown" approach if you want to do something like content filtering, but if you need basic robust firewall security, with the ability to define a faily sophisticated IP filtering ruleset, then this is not a bad approach. AND you will really learn about how internet security works. The downside is that it takes some serious reading. The upside is that once you learn it, you can deploy a BSD firewall fairly rapidly, expecially if you build up your own libraries of standardized rulesets, and there are no licensing costs at all.
I am no Unix security guru, but I managed, without too much trouble, to recompile FreeBSD with ipfw on a modest piece of used hardware, and set it up as my home DSL gateway. Thus I can breathe a lot easier when my wife is online with Win98 or when I have to test out insecure settings on my main workstation, since they all have internal IP's and I can filter out any IP address (or group) to any port I want. The first time I did this, it took the better part of a day, but now I can pretty much have a basic firewall up and running in a couple hours.
Beyond this, the BSD's are often where the TCP/IP security standards are set, so there is almost always support for the other sophisticated security systems. Here is a link for setting up IPsec on OpenBSD:
Just search
and
for articles related to firewalling and security and you will see what I mean. (HINT: quite often the commercial firewalls are running some slightly proprietized version of BSD, and using many of these protocols which are freely available)