I should have included one more aspect in the third set. That is
traffic disallowed by policy. Current top-of-mind in security
circles includes NTP attacks - someone sends a message with a
spoofed source address to an NTP server, which now sends
something to that address every mumble time units...
Presumably, your firewall could have some kind of source address verification
that takes care of such spoofing.
As for "diode firewalls," they can be bypassed trivially using ICE, STUN, etc.
That is, as long as the application is using UDP. Which means that instead of
applications running over TCP, they will need to use some reliable transport
over UDP. There are plenty of those...
Now, we can debate whether the Internet will be a better place with diode
firewalls instead of routers and transport over UDP instead of TCP.
-- Christian Huitema