1. Even tho it depends on how your fw's are configured to let tru traffic I'd say: both. Like in the Single Point of Failure thingie.
2. If your firewall got cracked this means you've been running daemons
on the fw, and that's a bad habit unless you know what you're doing and accept the risks. In essence fw's are for regulating traffic, not for serving (public) services.
Read this at least:
UNIX Security Checklist v2.0: [url]www.cert.org/tech_tips/unix_security_checklist2.0.html[url],
The Twenty Most Critical Internet Security Vulnerabilities:
http://www.sans.org/top20/,
Steps for Recovering from a UNIX or NT System Compromise:
www.cert.org/tech_tips/root_compromise.html,
Security tips:
www.cert.org/tech_tips/ and
www.cert.org/security-improvement/.