OK, how about the real IP/subnetmask/port firewall built into your
DSL/CableModem?
It's free, it operates at layer 3, and it is working outside your PC's
messy world, inline
before the Ethernet frames even reach your PC. Also most of the ones I
have seen
(cisco/linksys) are capable of doing some filtering for the OSI layers
4-7 (anti-virus/
spyware) again *before* the encapslated data even reaches the insecure
world of
your PC. These kind of devices also can do NAT to hide the IP address
of your internal
private network.

Now, to add something to this tread, what about low cost devices that
could look for
IP spoofing, man in the middle attacks, port scanning, layer 4 attacks
(such as TCP
sequence number attacks), etc. See www.caymas.com. Has anyone done
research
on low cost (< $1k, for example) devices for upper layer protection
*before* the data
even reaches the insecure world of Windows)?

I'm aware of what's available in UNIX/LINUX, but thinking about low
cost devices.

It may be that the best low cost solution is a dual homed computer
running snort,
iptables, imap, Nessus... but wondering if any devices are being
shipped that do
all this in firmware?

Cheers, ~DRH~