The improvement I mention is relative to using a servient behind an active XP (or other) firewall in its default configuration. You are corrrect that the advantage of using a Gnutella-friendly firewall over running naked (with no firewall) is security.

Assuming my understanding of the Gnutella protocol is correct (I'm a software engineer, but don't work in this field), it works like this:

From behind a firewall...

You can initiate outgoing connections to participate in the network, but can't accept incoming connections from others wishing to join the net. It is also impossible for you to accept Leaf connections as an UltraPeer.

You can initiate outgoing connections to download files from some sources, but will not succeed in downloading files from servients that are also behind a firewall. This is because neither servient is able to accept a connection from the other for the direct transfer of the file. (Files are not sent through the Gnutella net.)

You can satisfy some upload requests, but only from servients who send "push" requests (via the Gnutella net) and who are not themselves behind a firewall. Again, if both machines have firewalls, you can't connect to transfer files.

Having incoming connections to port 6346 blocked by a firewall is a little like living in an apartment with a broken doorbell.

Imagine that you are a Gnutella program living in apartment 6346 of a PC out there in cyberspace. You can open your door and pass data through the door (in or out) anytime you like - as long as its your idea to open the door. But when the HTTP delivery guy rings your doorbell to deliver that new file you requested, you don't hear the doorbell ring, so he gives up and goes away.

Opening port 6346 on the firewall fixes the doorbell.