>Might I be permitted to present the notion that UNIX is in fact *not*
>the proper environment for a Firewall, nor is any multi-user OS, what
>is really needed is a dedicated embedded controller able to sieve packet
>headers on the fly ?
I don't agree at all.
You're assuming that "sieving packet headers on the fly" will
give you sufficient control, adequate audit trail, and will meet your
security goals; isn't that rather a large assumption?
Some of us believe that for some applications you cannot build
a secure enough firewall out of just an IP-level security system. Perhaps
future versions of IP will have enough hooks in them for authentication,
etc that what you suggest will be attractive, but for the time being, I
wouldn't risk anything important to something that leaks like sieve.