Bruce Wells asked (in the comments of my “opening firewalls” ‘post) where you should go to get netfw.h. Well, after a bit of searching, I found it, it was surprisingly difficult (don’t ask).
It turns out that netfw.h isn’t actually shipped separately. Instead, as Tony Goodhew describes it, the netfw.idl file is shipped in the platform SDK instead, and you need to run the MIDL compiler on it to generate the .h file.
The platform SDK update that contains netfw.idl can be found here.