Last week we moved from iptables running on Linux boxes to a firewall box. DLink DFL-210. It has an added feature of intrusion protection in addition to the greater uptime for studio net users. When the servers go down for maintenance, their browsing need not be interrupted. Fairly straightforward setup, but we wasted a lot of time "troubleshooting" a network cable which was not plugged in!
Related development - krishna not coming up after reboot, probably due to incorrect master-slave setting on extra hard disk or bootable flag or something like that, added to the fact that hotplug or kudzu is not installed, so it needed to drop to a root shell, then we edit /etc/fstab to remove the offending hard disk's entries, then it boots.