The firewall should be designed in 2 seperate drivers.
Initially an NDIS intermediate driver will be developed. This driver sits at the bottom of the network stack and has full contol over all network traffic. This will be our statefull packet filer and will be configured via a firewall script. This driver is required for maximum security and is aimed at the more technical user, or when greater security is required for server implementations.
An NDIS driver alone has it's drawbacks for end users as it requires carefull configuration and protocol knowledge (in the way iptables does). It also has no knoweldge of running applications and can't set rules to tie in with these. For non-technical users, used to firewalls like the Windows Firewall and ZoneAlarm, this could pose a problem.
To combat this I'm thinking a second driver will also be needed. This driver will be situated higher in the stack at the TDI layer, making the TDI Firewall a perfect base to use. This driver will have access to system processes allowing rules to be set against applications, making the whole experience less painful.
Lastly, a GUI will be developed controlling the 2 drivers. The GUI will mainly be aimed at the TDI filter, and users wanting extra protection from the NDIS filter will need to use the command line interface instead. However, some parts of the GUI will also be able to control settings at the NDIS layer, e.g. controlling ICMP packets. This GUI should help users with little or no firewall knowledge set up basic rules to secure their system.
I've already started thinking about implementation, and as this is looking to be such a mammoth task, I'm going to set up a brain dump site. Anyone will be able to contribute to this site with knowledge and ideas.
Other areas to think about whilst implementing this is NAT and IP routing.