Ok, I just got ahold of some Netscreen (http://www.netscreen.com) firewalls.
I have some of their big ones, but I also got myself a 5xp for home.

The 5xp is $495, and it's barely more than the size of 2 decks of playing
cards side by side.  This thing is amazing.  Everything is implemented on
chip, including the firewalling engine and the IPSec stuff.  The chip is the
same chip they put in their big firewalls, which supports 700Mbit of
throughput, and 270Mbit of IPSec throughput.

They've limited the 5xp to 10 tunnels, and stuck 10Mbit interfaces on it to
limit it.  It will support 2000 separate sessions, can act as a VPN server
and a client.  Has OSPF and BGP routing, a nice web interface, cisco style
command line, built in ssh and https, dhcp client for cable modem/dsl users,
and you can map outside ports to different internal servers (great for if
you only have one public ip and multiple servers on the inside). It can run
in transparent mode, where you just plug it inline with one of your ethernet
cables and it acts as a filtering bridge, or you can do route or nat mode.
Route mode is probably the most robust, as you can still add NAT policies to
take care of NAT if you need it.  Oh, I almost forgot, it also has a captive
gateway functionality.  So if you have a wireless net, and you try to go
somewhere, the browser (or telnet session) will bring up a user/pass prompt
generated by the firewall, and you have to login with a valid id before it
will pass traffic for you. It can authenticate via a local database, or
using RADIUS or LDAP.  You can give varying degrees of access based on
usernames also.

Their bigger firewalls support up to 99 VLANS, and each one can be in a
different security zone (99 DMZ's).  You don't have the typical "security
levels" associated with each zone either.  Each one can have varying degrees
of access to each other.  They also have Virtual routers, where you can tell
it to only route between certain VLAN's/Zones, so your office network can be
completely independent of your production environment.  For ISP's, it
supports Virtual Systems.  You can sell firewall services to clients, and
they get their own virtual firewall with their own login.  They can only see
and modify settings for their stuff, but they can manage it themselves with
no risk of screwing up the rest of your network.  

In any case, the $495 5xp has more features than most $30,000 firewalls, and
also has better performance (though it only has 10Mbit interfaces).  If
you're looking for a great home firewall or something for remote offices,
this thing is definitely the way to go.

Jay