I feel sure that the various extra netfilter modules are there for a purpose - to make some Windows-like firewall GUI possible. Specificially, the QUEUE target allows packets to be passed into userspace where some Zonealarm-like app can pop up a message asking the user if they wish to allow it, then create a pid-based rule allow or deny the access.

I don't know any Zonealarm-like GUI which exists using this functionality though. The kernel supports it.

Slarty