Just to be clear, I *agree* with you that a software firewall that runs on the same host as the application is a bad solution. But if the application runs on a virtual machine you have isolated the application's code and the kernel associated with it from the OS that runs the firewall.
Can you imagine a driver that runs as a rootkit trojan in a virtual machine, that then exploits a processor misfeature/bug to get into the memory space of the host OS? Probably yes. Will they prevent that eventually by some capability in the processors? Probably. In any case, it's a lot more secure to isolate the application in a virtual machine than to run it in the same application space as the firewall. You open up lots of possible tricks to work around the firewall.
I don't know what the real risks are, but my own subjective guess would be that if you have a properly configured firewall, and then introduce a rootkit trojan onto the host that runs the application you are firewalling, you have these percent chances of having the firewall stop its activity:
Approach 1: Software based firewall like ZoneAlarm: 90% chance that the Trojan bypasses the firewall completely.
Approach 2: Isolate the application into a virtual machine and the virtual machine gets the infection: 10% chance that the Trojan bypasses the firewall completely.
Approach 3: Isolate the application onto a separate physical computer that is attached by a dedicated ethernet segment to a separate firewall: problem of the tow mechanisms not knowing the states of each other, so
Excellent and true, which is why you never use the NAT adapter.... You create virtual *private* networks, and connect those to a routing firewall that runs on the host computer.
If you have a VMWare installation, try to go create a virtual private ethernet by using the separate "Manage Virtual Networks" application. Nothing like adding six dedicated class C networks to a network and getting it all "wired up" in about 20 minutes.
If the return ACK from the original TCP SYN doesn't reach the host firewall within the timeout, then the packet is dropped. Why would it be otherwise?
If it was otherwise, then yes that would be a bad thing and it would be a bug in the firewall or possibly bad firewall rule design.
The virtual machine does not "see" the physical interface. The virtual machines don't share it. The host has exclusive view and use of the external interface, just like in any real firewall.