My wishlist would be improvements to:
* Web Proxy Content Filtering
* Web & Email Anti-Virus Scanning Proxies
Proxy filtering has been tossed around quite a bit, notably with SquidGuard, but looking for a solution that checks based on actual content scanning (as opposed to just list checking). Something similar to DansGuardian (but with a more open licence) would be great. And if we're scanning the content anyway, it would be great if virus signature scanning could be done at the same time.
It would also be nice to have a lightweight (relative to sendmail/postfix anyway) SMTP reverse proxy capable of scanning email for junk and virus signatures. This would be a transparent reverse proxy for SMTP (& SMTPS?), preventing junk mail and virus emails from ever making it to the mail servers inside. (Check out ASSP and DspamPD if you're looking to get a better idea of the concept.)
Both of these wishlist ideas are not exactly 'lightweight' and may not belong on a box that's *strictly* a firewall, but they do both protect the inside from the outside, and would be a good fit for many smaller orgs without dedicated resources for these.