first of all...the PIX is a stateful firewall just like any other.

With the Pix, you can do anything any other firewall can do. So vittu, you are incorrect in saying that there is a lack of port filtering rules. You use access-lists that can be used to specify ANY port.

and YES...of course the PIX come out of the box denying all traffic. This is what you want. Why would you want to close every port you dont need instead of just opening the ports you do. Besides even if you wanted to change that, you could just issue the following commands.

access-list acl-out permit IP any any
*defines all traffic to be permitted

accesgroup acl-out in interface outside
*applies the access-list rules to the outside interface

The PIX501 is also a small SOHO device that has a very simple configuration interface, so you would not have to worry about the CLI stuff anyway. It is a very good product.

I know mrwall is a very big CP advocate, and so am I, but the PIX is also a very good firewall and I think he would agree with me.

Bottom Line: either CP soho or PIX 501....i would probably stay away from the linux firewall for the sake of simplicity..