Best bet and better performance vs. money is linux+iptables. You can deploy more than one security subnet (i.e external, DMZ-service, Internal) any as NIC cards you have. Any equipment above PII-500 will be OK if you do not install X, you do not need lot of HD except if you want lot of space for logs and 256-512 MB of ram will be ok. You can -if you dare- deploy IDS (snort) or proxy (squid) in the machine if you need it too.
If you want a pure appliance I'm with mvaughn for watchguard, prices are below 400$ for the entry products:
http://www.securehq.com/vendors.wml&...21&vendorid=53