A SYN filtering strategy works extremely well for TCP. The only change we advocate to protocol designers and implementors is that TCP-based protocols should never require applications to open a back-channel connection. The problem here is obvious: a request-response filter allows a SYN packet to go out through the firewall but drops the SYN packet by which the external host requests a back-channel. Although a TCP connection originating from outside the firewall might be an application-level ``response'' to an FTP or rsh request originating within the firewall, a stateless packet filter has no way of knowing this.
Protocols like FTP and rsh use back-channels to create an additional connection over which an application can send a data stream that is, at the application level, asynchronous or conceptually separate from the ``main'' application connection. FTP uses a back-channel to separate command and data streams; rsh does it to separate UNIX stdout and stderr. Where a service requires additional TCP connections to implement the desired application semantics, we see no reason why those additional connections must be opened by the server. The same effect can be obtained by having the server bind a local socket, find the local port number, send that port number in an application-level message to the client, and start a passive TCP open. The client then initiates an active open to the specified port on the server which is waiting for the client machine to connect. The result is functionally identical to having the server establish a channel to the client but without requiring a SYN packet from the server through the firewall.
However, replacing TCP back-channels with active connections is not an adequate solution for X, where the roles of client and server are reversed. There is no channel between the X server and any external process over which external clients can bootstrap connections. Addressing this version of the back-channel problem without using an application-level gateway would therefore require far-reaching changes to the X window protocol and is an area for future research.