Also discussed in this thread.

I'm still not 100% sure you cannot not do very basic iptables (setting input policy to drop for example) with the stock kernel.

I have not tried it and I'm running a custom kernel because I'm developing a mobile hotspot.

Compiling a new kernel (or just modules in case they do not require any special/extended symbols in the kernel proper, but netfilter does...) is not really that hard once you have a working scratchbox (see for example the bottom of the hotspot project page).

There is also kernel-maemo which is a (separate) custom kernel with even more features than the hotspot one (which basically adds only netfilter and qos).

As for "sshd available and working" only if you explicitly install it.