One of the more interesting hacks I've seen on locking down a Linux-based firewall is to remove the 'poweroff' from your shutdown sequence. You basically boot the PC up, set up your firewall =exactly= as you want it, then "shutdown".
However, without the poweroff, you'll basically end up with a box that has all services turned off, and the disks unmounted. The only thing running is the kernel ... and iptables, which runs as a kernel process! The thing will be as close to not running as possible, but would still be passing packets. Of course, if you need to make a change to your rules, you have to physically power off and reboot, then make your changes and 'shutdown' again. This makes this more of an interesting hack than something actually useful, but I thought it was cool. Of course, you also don't want your init scripts to kill your ethernet while it's killing other processes as well.
Very interesting.