And I probably don't have to mention that the OpenBSD folks takes security very, very seriously.
Ip-tables tutorial: http://iptables-tutorial.frozentux.net/iptables-tutorial.html
Complete OpenBSD PF documentation: http://www.openbsd.org/faq/pf/index.html
I currently admin 5 OpenBSD based firewalls, and it would take serious kicks from external forces to drive me back to using Linux for this particular application. My main personal DMZ splitter has 33 non-empty lines in the pf.conf file, of which 11 are macro definitions for addresses, networks and interfaces, yet it is configured for default-deny, redirects, 2x NAT, antispoofing, packet priority queueing and renormalisation, statefull/modulating firewalling etc.