hi
in some cases, one firerule overrides the other.
a good constellation is a hardwarefirewall and a software packet filter firewall.
do not go for the application firewalls. these firewalls are good, thats for sure, but a packet filter firewall catches more from the traffic than the application firewall type.
hwf : linux or gatelock 200x
sfw: visnetic firewall / conseal firewall.