I can't speak to the security issue except to say that I use Debian boxes with the 2.2 kernel and ipchains for firewalling and routing both at home and at customer sites. I also used a commercial firewall in a past life (PIX) and was pleased with it except for the connection limitations you refer to. I find ipchains to be reasonable, flexible, and most importantly understandable. I use logging in all my firewall rulesets for denied packets, and I see denied attacks of various sorts against my home machine about every five minutes or so while I am connected. I feel, if anything, more secure with the Debian based firewall. I haven't had any compromises of a Debian protected network that I am aware of, but then that doesn't really prove anything.
If you are interested, I just spent a couple days whittling down a Debian system to provide WAN routing, dial on demand, dns, dhcp, and firewalling all on one floppy. I have been looking for an excuse to organize all my notes in a presentable manner, and I'd be happy to try and answer any questions you might have. My intention was basically what you stated, to produce a simple box with absolutely nothing except the kernel, a few selected daemons, and a couple other necessary things like ash and init just for processing startup scripts. No interactive or network logins, no logging except to console or remote, everything runs from a 4MB ramdisk once booted. Using this sort of setup you can provide quick and dirty emergency reserve systems on just a floppy; set up new boxes with almost no installation; or just make a really cheap routers with a scavenged motherboard, 16MB RAM, a floppy, and ethernet cards or a modem. I also have managed to fit a complete working 'winserver' with dhcp and samba on one floppy, although this one would really like to have some disk in the machine for meaningful print spooling and file shares. __________________________________________________ Do You Yahoo!? Thousands of Stores. Millions of Products. All in one place. Yahoo! Shopping: http://shopping.yahoo.com
