The only sensible argument *I* can come up with in the "packet filters vs.
application gateways" debate is that given the "available" software, it is
easier for someone who wants to "roll her own" to build and configure an
application gateway than a packet filter.
The general design is at a higher level: shut everything off, and then
decide what *services* to allow as opposed to shut everything off then
decide what ranges of ports to allow. It's just plain easier to do the
former correctly than the latter --- given available "freeware."
Additional ways to flog this dead horse are left as an exercise for
the reader. :-)
"Outside of a dog, a book is a man's best friend;
inside of a dog, it's too dark to read." -- Groucho Marx