My personal opinion about that, what is good firewall I've formed some time ago, It's just personal opinion with  some arguments that I'm right. I'm open for every criticism of own opinion and thinkings, I don't claim for nothing, that it is absolutely correct, but it looks to me, that is right so.

My definition of good firewall is built somehow like this below, if who knows for better don't hestiate to press some link above or below, so I can improve those things. 

For me firewall is a group of measures, how to use individual types of systems, software, hardware, rules for configuration and remaining equipment and physical protection of used parts with intention: 

• to ensure protection of data against unauthorized access from global network (content of data)
• to ensure intigrity of data, during transfer to other protected systems over global network which are functionally connected with our system (tunnels between local networks) 
• disabling attacs of malevolent code or other forms of indirect irruptions to local network (viruses, Trojan horses, web pages, which contain such code) 
• preservation of full or partial functionality on protected system in case of DoS attacks 
• alerting and analysing of events on firewall (alerts, logs, diagrams)

If we know how, firewall can be realized with bought or with GPL and other free software or hardware equipment. At this time I want to mention, that if we know how, probably we can come through every firewall, because, again by my opinion, it is almost impossible, to obtain safety expressed in percent to 100%. Viruses and trojans are evidence for this. They are irruption to information system indirectly and probably noone who use inf. tech. didn't meet them, only irruptions if we are looking them thru OSI model moves higher and higher, so applicaton layer is the most interesting to attackers at the moment and principle of shield and bullet is just unfinished project.

Example of good firewall, that mostly meets upper definition:

• Snapshot of current state and needs 
• Making of rules for filters 
• 1-2 personal computers 
• 2-8 network cards or ISDN adapters
• Instalation, if it is possible and necessary modification of code, configuration of system software:

• Antivirus software, (Panda, Sophos...) or OpenAntivirus 
• RedHat Linux 7.3- or Fedora or other with kernel higher than 2.4.x 
• Modification of Linux kernel if necessary
• Netfilter/IPTables
• Postfix or sendmail or MS Exchange mailer 
• amavisd-new or other content filter
• Bind 9.2.x + patches or other DNS 
• Apache or MS IIS web server
• httpf content filter 
• FreeS/WAN last version 

And here are some pictures of such linux firewall for diffrent types of topology and levels of network security.