What's the specs on the hardware (processor, memory, disk space, etc)? My firewall (that this web server is behind) is an old Pentium 100 that I built many years ago as my main desktop (was a hot machine at the time). It has 128 MB of RAM and has 3 network cards in it so I have a DMZ (where this web server resides). 128MB of RAM is actually more than it needs but I also use it as a proxy, content filter and a few more things. The machine is actually a little slow to be doing the proxy/filtering but it's good enough for what I need and certainly enough for a firewall. You can see a simple network drawing of roughly my layout:
http://voidmain.is-a-geek.net/si/?i=net ... work%20Map
The machine is currently running Fedora Core 1 (without X installed of course) but when I first made it a firewall I think I had Red Hat 5.2 on it which was the latest version of Red Hat at the time. Of course Red Hat/Fedora comes with iptables, as does most other distros out there. I used to just have a firewall script that did the ipchains/iptables commands and you can still do it that way but now I prefer to use a utility called Shorewall which is not much more than a set of scripts that allow you to put all your firewall statements in a few config files, a little more firewall like. Here's shorewall:
http://www.shorewall.net/
The nice thing about using a regular distro is that customization is a little easier. For instance if you want to run squid all you have to do is "apt-get install squid", configure it and add your firewall rules. Of course if you want to keep it a true firewall and keep it minimal and more secure you would not have it perform these other functions. I personally would probably use FC3 or Debian if I were to install one today. I will probably upgrade my current one to FC3 at some point. I usually don't upgrade it every new release that comes out but do keep the version I am running up to date with all the latest updates nightly. I usually do a "custom" install and deselect most everything (including X, etc) so it's a minimal install. Then after the first boot I do a "rpm -qa | sort" and list all the packages and remove more things that it installed as a minimum that I do not need "apt-get remove xxx". I turn off all unnecessary services and configure iptables (with shorewall in my case). You can probably get a little smaller with Debian though as the packages are broken down a little more finely. Just my 2 cents.
EDIT: Actually, when my current P100 dies I will probably use my spare Linksys wireless access point as my firewall. It makes a great firewall because it has three interfaces (two ethernet and 1 wireless) plus a 4 port switch built in, it runs Linux, has no hard drive and costs less than $70 brand new. It's a perfect little firewall really. I would use OpenWRT as my distro as I mentioned (which I am currently running my wireless web server site on):
http://www.openwrt.org/