The IPCop Linux distribution turns a box into a simple to manage firewall appliance. It's a stateful firewall, which is to say, it inspects passing packets and examines their state. Only packets matching a pre-defined connection state are allowed and the rest are rejected. The distribution intercepts packets thanks to the hooks provided by the netfilter framework in the Linux kernel.
Techtarget's security section has a nice overview of IPCop.
The IPCop firewall supports multiple network segments -- trusted, un-trusted and semi-trusted -- for wireless networks and DMZ. It runs very well off old 486 hardware or can be bulked up to handle gigabit-speed networks. IPCop is stable, has an easy-to-use graphical interface, and since it is based on Linux under the hood, it's free.
IPCop is a breeze to install: download the software and create a boot disk. The installer creates a complete, hardened system that has the option of running completely off of a flash memory card. Like many gateway routers, IPCop handles DHCP leases, DNS and network time protocol, plus it has several extras that make it stand out.
Extra's like its graphical user interface to keep track of the firewall, monitor active connections, track network's status, and plot usage and traffic charts. IPCop also bundles the Snort IDS (Intrusion Detection System), VPN support, built-in web proxy, traffic shaping and content caching. If you haven't looked at IPCop before, now's the time.