Ummm... no. Wrong on both accounts. See Jeremy's post about source-routing for one method. The firewall rules are never bypassed, that's why you need rules to specifically allow "established" connections. It is also why when writing your rules you want to put those rules near the top so that established connections don't have to run the entire gamut of the ruleset to get an up/down vote on whether to accept. Now maybe some firewalls resort the rules to get this behavior, but I haven't seen this with any Linux software firewalls.
Actually, I think what David is thinking about is the PREROUTING chain in the Linux Netfilter nat table. It only checks the first packet of each stream.
<rant> Let's leave the "Ummm... No" out from now on. We're all learning here. I know it may sound stupid, but I find it rude. I went off on some guy last week about it - which I do feel bad about. I got a little out of line on one of my replies. Anyway, lets try and keep the respect for one another going here. Feel free to correct people, myself included, but lets try to keep it polite. </rant>