1. Even tho it depends on how your fw's are configured to let tru traffic I'd say: both. Like in the Single Point of Failure thingie.
2. If your firewall got cracked this means you've been running daemons on
the fw, and that's a bad habit unless you know what you're doing and accept the risks. In essence fw's are for regulating traffic, not for serving (public) services.
Read this at least:
UNIX Security Checklist v2.0: [url]www.cert.org/tech_tips/unix_security_checklist2.0.html[url],
The Twenty Most Critical Internet Security Vulnerabilities: http://www.sans.org/top20/
Steps for Recovering from a UNIX or NT System Compromise: www.cert.org/tech_tips/root_compromise.html
Security tips: www.cert.org/tech_tips/