You'd want to check
www.redhat.com and its packages it provides to find out if there have been any security updates or patches. I am sure 9 is more secure as they would have supplied more patches and updates at the time but there might be more exploits, etc that have been exposed since its release.
I'd suggest just using/learning iptables. I'm not familiar with firestater myself. And always check out unSpawns security links at the top of this forum as its a sticky with lots of links with good information.