I remember when people were making a big deal about this with Linux Kernels. I did not see great value in it for large organizations. It could be used for personal use, perhaps, but not a medium or large business.

With a "real" firewall product, you have access to add, remove or modify existing rules. Logging, triggers, and a service to provide system status (of the firewall device) are often possible.
An interactive system allows for command-line testing of rules with sample packets describes on the CLI-- great for troubleshooting, but not really available from the system when halted.
With a halted system, you have no extra service, no auditing, no logging, and most reconfiguration reconfiguration requires a reboot.
Reboots mean downtime, and the longer it takes to reboot, reconfigure, test and then reboot to ensure changes work for the next reboot, the more the users won't like it.

IMO, they are not worth the cost (time/money for efficiency provided) and there are more effective solutions for mid/large business that have less latency, more options, and auditing-- even if it is to a remote syslog server. (Perhaps an embedded device may reboot fast enough, but not a full PC.)

In the tradeoff of functionality for security, I think the losses in functionality are much worse than the gains to security, and if reliability and availability are part of your security model, then it may actually hurt security.

I put this on the shelf next to, "things that are amusing, but not for me."

http://www.jtan.com/jtanoss/cdboot/

This thing is just awesome for something sort of between a commercial firewall package and a halted firewall: a read-only instance of OpenBSD 3.5 with pf on a bootable CD that mounts the /etc partition off of a floppy disk. Simple to set up and move around, the base OS is completely read-only, and if needed the firewall ruleset itself can be set to read only by flicking the switch on the floppy.

With this setup I've been able to move the "logical firewall" (i.e. CD and floppy) between two completely different hardware platforms in under 5 minutes. The only things that really need to change are the network device names (e.g. fxp0 to rl0, etc.)

-g