I believe the primary purpose of firewalls should be to
protect the network, not the hosts, from abusive or
unauthorized usage.
I do not agree with this. The primary purpose of firewalls is to protect
BOTH the network and the hosts.
the reason I disagree is that fundamentally, there's no way that a firewall
can reliably distinguish legitimate traffic from illegitimate traffic, and
there's no way that a firewall can exclude all (or in many cases even most)
threats. to do that it would have to be smarter than the application. a
firewall can thwart some subset of threats, or a firewall can block legitimate
traffic. what it cannot do is remove the burden from hosts and applications
to implement reliable security.
OTOH, the network cannot expect hosts to protect it; it must protect itself.
that's why I say that the primary purpose of firewalls is to protect the
network. if the firewall can also provide security in depth for hosts, that's
useful, but that's just a backup - there's no way to have confidence in the
security of a host that relies on firewalls as its primary means of
protection.
an intermediary MUST NOT alter the source or destination
field in an IP header.
There is nothing wrong with this if another intermediary puts it back
the way it was originally, preserving end-to-end traffic.
if you're talking about RSIP, I don't think that's true, because IIRC it still
requires hosts and apps to be aware of addressing realms.