After trying unsuccessfully to get a decent commercial firewall, I discovered m0n0wall, which is open/free, and based on freeBSD. The stable version is very good, and the development version adds even more features. There is also another young product, called pfsense, that adds very interesting features (WAN load balancing, firewall failover, etc... and uses PF instead of IPFilter).
To me, the strenghts of m0n0 are its simplicity, robustness, and the ability to do complex firewall rules in a simple manner (bridging, NAT, filtered routing). It also supports an (almost) unlimited # of interface, pptp + ipsec VPN. m0n0wall is made to be used primarely on WRAP boards and Soekris. See the complete feature set here. It can run off a hard disk drive, but a more interesting setup is with a flash card of a bootable cd/floppy (the floppy is for saving the settings).
Using a WRAP board, it is possible to have a very good firewall appliance for about 150$.