Which is, of course, irrelevant since he delivered through HTTP. :-)
The current crop of firewalls are (for just this purpose) able to look into packets and ensure that they *are* HTTP packets.. Packets that look to be encapsulated other protocols can be rejected, or filtered.
So if you're 'denying all' you've likely got that [passing of HTML encapsulated packets] turned off, too.
Addison