Unlike most home networks, the Marshlabs are directly attached to the Internet. The DSL router just routes. It doesn't do NAT, it doesn't block or filter network traffic in any way.
Hosts, network gear, and the kitchen radio have public IP addresses and are reachable via the Internet. They all are supposed to take care of security on their own. (It's kinda fun when guests ask for Internet access for their laptops and actually get it, accompagnied with a fair warning that "this time, it's for real.")
On my boxen, I secure services by their own means if possible.
For example, the set of allowed clients of NFS shares is stated in
/etc/exports, sendmail relaying is controlled via
access.db, and many services use accounts &
passwords in some way.
Many network services can be secured via libwrap
and /etc/hosts.{allow,deny} entries. Much simpler than
any full-blown firewall and just as effective.
However, sometimes I do need a real firewall. A case in point are continuous password attacks. Which just happened again, so I was hunting for some rate-limiting firewall solution.
Unlike linuxen which all use iptables(8) in some
way, every BSD flavour comes with an entire collection of firewall
variants.
I can never remember what offers what. So here is a list reflecting the state of August 2014:
Summary: if you need something stateful (be it for NAT or
rate-limiting) and portable, go for pf.