I recently had a look at a PaloAlto Firewall –
an application aware, Deep Packet Inspection Firewall; able to block e.g. facebook chat and still allow “normal” surfing.
I was amazed that a “firewall piercing” posted in January 2011 was still possible.
I managed to remotely control an internal computer from the outside using “rwwwshell”. The Firewall did not recognize the remote connection and logged it as normal web-browsing. Weird..