There has been some pretty good discussions about the usefulness of a firewall, and it would appear that the majority of the feedback is that firewalls are still an important part of the security infrastructure and will be around for some time.
I fully concur with this sentiment. However I am surprised that the discussion revolves around legacy features and not the features that are required to meet today's needs.
Any reputable firewall can block, permit, and NAT, but is that really what we are still looking for? The reality is that due to business requirements most firewalls look like swiss cheese with the number of ports that have been opened.
Additionally, practically every firewall policy will be defined with subnets instead of host addresses, because IP addresses are fluid.
Try and track Joe User over any length of time as he moves from cubicle to cubicle or hops on a wireless network. It's nearly impossible and you certainly can't rely on Joe to keep you informed when he moves around, so most have given up and just defined subnets so it will cover most of the users without disruption.
Back to application ports, does anyone have an environment where HTTP always uses port 80, or HTTPS just uses 443, and you can throw FTP into that mix.
Bottom line is if you are still trying to block based on IP address and port then its time to stop and look at firewalls can do today. The leading firewalls can block based on user, leveraging Active Directory. You can define single user-id's or AD groups.
These same firewalls can block on protocol patterns as opposed to ports. So you can actually control a protocol like HTTP regardless of what port it uses.
Furthermore advancements with application aware firewalls can now do as good of a job of blocking access to Internet applications as most content filtering devices. There have also been significant advancements in onboard IPS and AV.
I fully realize there has been growing pains in these areas by the firewall vendors but the leaders are doing a much more respectable job and can now hold their own.
You must still perform a good evaluation and above all do proper sizing. But, in the end, firewalls aren't dead but blocking by IP and port should be.