TCP firewalls could be circumvented by sending a SYN Packets with other flags (like e.g. RST flag) set, which was not correctly discarded by the Linux TCP stack after firewalling.
https://www.openwall.com/lists/oss-security/2012/02/03/7
https://www.kb.cert.org/vuls/id/464113
http://www.openwall.com/lists/oss-security/2014/02/12/8
http://www.openwall.com/lists/oss-security/2012/05/31/3
http://www.openwall.com/lists/oss-security/2012/05/30/9
http://www.openwall.com/lists/oss-security/2012/05/30/8
http://www.openwall.com/lists/oss-security/2012/05/30/4
http://www.openwall.com/lists/oss-security/2012/05/30/2
http://www.openwall.com/lists/oss-security/2012/05/30/13
http://www.openwall.com/lists/oss-security/2012/05/30/12