Well I think I would se it the other way:
The Linux Netfilter firewall is a really beautifull relly and easy understandable (when it comes to practical use) and well designed part of the Linux kernel. The work done by Rusty Russel (I think his name was) is really something great.
My point of view:
1. The logical function of the firwall is something that should be regarded as someting different from those problems related to the server functions, as this would relif more freedom and focus on the firewall design itself.
2. The firewall problems is easily separated (and should be separated) from the rest of the problems related to server security.
3. If both problem areas is considered as a whole and without a prinsiple of modularization or breaking up the problem into pices (the firewall part and the server part) the complexibility of the project will be on such a level that it will be rather difficult to do anything else than just small steps and minor modifications.
4. with a new approach and a bether modularization and a bether structure between firewall and server related problems, a lot more could be done.
The way that the Linux firewall works gives the situation where developers are free to work on the firewall problems as something different and separate from the server functions, which I think could reduce the complexity of the over all situation to just a fraction of what it is when all these problems are mixed into one bag.
Of course I would contribute if I could, but I don't understand at all how this could be done.
My opinion is that the Linux firewall is something very easy and quite managable, if one just understand its siplicity and lack of complexities. as I would see it, the easier and the more well structured a firewall design is the more "safe" it will be. "Safe" will in this case mean that it is possible to predict how it will behave under certain situations and to deside how it did fail, if this should happen. The oposite way: The more complex a firewall design is, the more risk is it fore something unexpected to happen and the more diffcult will it also be to trace it out if it fails.
Bu the way I'm not selling or promoting anything at all. I'm just discussing, trying to learn a little bit more. (And I certainly does not have all the valid answers.)
As I will se it Linux firewalling is much like bicycling. You don't need to be an expert, but you need to understand what you are doing. It might be safer to take taxi or train to town but some of us might prefere bicycling and freedom of going where you want to go, and to have the full control.
If there should be developed bether and more flexible firewall solution I think that the first ting that would be needed were some discussion about how should a firewall work, why should it do this and this and this, and not that, and so on.
What actually normally happen if someone mention something about firewalling on this forum, is that someone from the development team posts a message that advices: "please do not discuss firewalling".
If firewalling could be discussed, and some poeople were interesed in this field of problems, I think it could be possible to come up with some alternative and new solutions.
If SME developers like to think that the firewall problems need to be tightly integrated into the server problems at the SME server, because it has allways been like that, they are free to do that. But if someone think that the area of firewalling has its own life inside the the Linux kernel they can do that as well, because if you tell the kernel and yourself that it is like that, from a technically view, actually it is like that.
So technically to flush out the existing sme firewall ruleset and replace it with a new one is one option, for a change to the bether or the worse.
As I would see it - It will be very difficult if not allmost impossible to make big changes in the SME firewall if not the firewlling and the server related problems is separated in an effective way. On the other way, it should be rateher easy to come up with new solutions if it is done. These could have graphical or non graphical front-ends.
If the SME server is an open source project there should be no reason why it should not be possible to also build in advanced firewalling functions like for the new version of Smoothwall. But I believe that this can not be done (in a practical way) via the existing template system of the sme server. (It will be nedded a some more or less independent fireall configuration mudule or system of some kind.)
Eventually building such a module will also include to experiment with security and to get hacked. (No hacking no learning - as for the bicycling.)
Alternative firewalls for the SME server could have been there alredy for a long time ago, if there were some positive will to have it.
These firewall configuration tools could also do all kind of fine grained firewalling control and also manage the problems related to a dmz zone, a wireless zone, outbound trafic control, inbound trafic control, etc, etc.