Originally posted here by cacosapo
To install rootkit, you need some kind of priviledge scalation to replace system files, dont you? or its a flaw?
Depends, many rootkits come with a number of priv. escalation exploits. The point I am making is if you render the possible ways a remote exploit may be used inoperable, it lessens the impact of a given remote exploit.

Originally posted here by ammo
Oh, just FYI, reviewing the pf man page I linked, it mentions an important detail:
I can't say if the same holds truth for Iptables although I don't see why it would be diffrent (chsh, can you confirm?)... Don't be fooled!
Yes, this applies for Netfilter. However it applies only to listening servers, or anything that does a privilege dminish after binding a reserved port number, thus it is irrelevant to how I mention its use above. Why? How privilege diminishing works (and why servers implement it), using Apache as an example:
1. Apache boots up (as root), binds to port 80, and then drops privileges to apache:apache.
2. An attacker hits on a working exploit in this particular copy of Apache.
3. Attacker spawns a wget instance using apache. This wget instance runs under apache:apache, not root:root, therefore it is blocked.
Once it has dropped privileges most servers are incapable of regaining those privileges.

You are quite correct in that this is only useful on desktops and/or servers, which was the context I placed it in.