the point was that if you have blocked every port for everything in all directions you don't need a firewall, you don't even need an internet connection at all. it isn't untill you want to allow some packets but not all packets that a fw actually is needed. I pretty sure you knew that. So if your fw is going to let in a particular packet, it has to look at every single one to decide if the packet matched the criteria of a packet that is allowed to pass through the fw. I think you knew that too. So now we are looking at with the decision algorithms. Are they perfect? Any chance of a buffer overrun? Any chance that the criteria for an allowed packet isn't strict enough? Any possiblity that spoofing can occur? These are questions for the developer since you couldn't know the answer without the source code. Even then, could there be an oversite? what if other software is installed, does that elevate the risks?