I would not use a full-blow distro for a firewall (i.e. no Mandrake, no Red Hat, no SuSE, etc). They are all tailored to install a lot of things by default to make your life easier. The problem is that all those extra packages also make security expoits a lot easier. They do not belong on a firewall.
From this point you have several choices. You could use a dedicated Linux distro for firewalls, such as IPCop, Astaro, etc (there are several others of varying degrees of usefulness). You could build a from scratch distro of Linux and only add the stuff you need (build your own kernel, etc). I'm assuming you want this to be Linux, but I just have to mention that OpenBSD is just about tailor-made for being a bastion host. OBSD installs very minimally, less than 200MB with the bare basics. Then you configure pf and you're on your way.
I digress. As for packages, obviously if it's Linux you need to build the kernel with iptables support. You will want the Snort package for NIDS and Tripwire for HIDS. You may want to install Bastille to help you lock the box down. Your logs should be sent to an internal machine (syslog is very good for this). You may wish to configure Squid as an HTTP proxy, but for few clients this might be more trouble than it's worth. If you do install Squid, make VERY SURE it's not accessible from the Internet side. Open proxies generate a lot of ill-will towards their owners and likely your ISP will revoke your account.
O'Reilly's Building Internet Firewalls is highly recommend reading, and Hacking Exposed wouldn't be a bad read, either (you can probably pick up old editions very cheaply since a new ed. comes out every several months).