I think APF firewall has a built in antidos feature. Also, you might as well compile your kenel with SYN cookies which will help prevent SYN flooding.
In addition to these, you could also, drop continous connections from a source ip by using the --limit chain in iptables, if it exceeds x number of connections per second.
Its not possible to completely block a dos, a friend of mine was talking about a system he was working on which would virtually make it impossible to dos using intelligent routing and such but that requires several boxes
Steven Ciaburri | Proactive Linux Server Management- Rack911.com System Administration Extraordinaire | Follow us on twitter:@Rack911Labs Managed Servers (AS62710), Server Management, and Security Auditing. www.HostingSecList.com - Security notices for the hosting community.