this is not meant to be an ultra elite firewall hacking text, but it will teach you ALOT. It assumes alot and so remains genaral to just give you ideas.

One method of hacking a firewall is to use discreet social enginnering.  If you are hacking a lamer with a 56K modem while you are using cable, you can perform a long ping bomb (using not many threads) to slow down their downloads.  They will realise the drop in speed and will think they are safe so might turn off their firewall to "speed up the download".  The moment you ping the dude and they get returned, You are in happy land.  Yep, that dude disabled his firewall.  Have fun.

If you can chat to the dude, ask him what type of firewall he uses.  In most cases they tell you cause they feel safe.  Most firewalls store what ports they allow and block in an .ini file or in the registry.  Install that firewall for yourself and find the location of this settings file.  All you need to do then is program a trojan to get them to run on their computer that will change their ini file to allow the ports you want.  If you feel professional, you can append a trojan to the file and just open the trojans port. If you dont have a permanent IP, you will have to let everyone through that port.  You can social manipulate him by Hijacking his ICQ account or something, stealing his contact list and pretending that you are one of his contacts.  This method will probably not work on someone who is smart,or anyone with a better OS then windows.

TCP/IP fingerprinting can be used to determine what ports they have open whether or not they have a firewall and it is relatively accurate, but not always.  NMAP is a good program for linux that does TCP/IP fingerprinting.  it is included with most distributions nowdays...

UDP Scan: 
You can use NMap to port scan the host with the following command line:
nmap -g67 -P0 -p130-140 -sU 192.168.128.88 
(Notice the -g67 which specifies source port).
TCP Scan:
You can use NMap to port scan the host with the following command line:
nmap -g67 -P0 -p130-140 -sS 192.168.128.88 
(Notice the -g67 which specifies source port). 

I obtained this from a site which I want to give credit to but cant cause I dont have an address.  
I have yet to have seen a TCP/IP fingerprint capable prog for either Windows or NT.. But maybe there is.  

There are many other methods of hacking firewalls like locating Exploits but I'm too stuffed to get into these..JUst remember to delete any evidence logs and stuff... 

there are also many indirect methods of hacking it.  An example is the fine plan I will use to hack a certain network.. If you need a distraction while hacking, feel free to post up a request for a DOS attack or another type of attack on a newsgroup as a distraction while you are cracking passes etc.  Also, remember that some networks aren't watched all night (hint, hint).  Try to hit a network in the night because the network administrator, even if he is there, might be a bit groggy, not noticing the alarms on the taskbar.

REmember how microsoft got hacked?  It was hacked by a trojan.  Code something to introduce a backdoor on the system.  An alternative is to code a prog that looks identical to their firewall util and will replace the real one, but doesn't protect their system properly and will only give false alerts.