The basic idea is to have a system with 3 NIC's. Two of the NIC's will be set in bridge mode and will pass all traffic between them in both directions. You can then filter traffic on the bridging interface using iptables or pf in BSD. The third NIC is for management and would have and interface based in PHP to access the box. Because the bridging interfaces have no IP addresses in them it is impossible to access them using those interfaces. If you do a trace route the machine will not show up, if you look at the arp table of the switch or router it is connected to, you will see nothing but the other devices that are connected. So for all intents and purposes the machine doesn't exist, thats why I called it Spoon Linux because there is no spoon. The system will be based in gentoo, mainly because its more customizable from the start and I can remove everything except what I need right down to the code level and optimization.
These details are provided for information only. No information here is legal advice and should not be used as such.