Marcos Hernandez sent me a nice list of updates/errata after watching the NSX firewalls video from the VMware NSX Architecture webinar:

• NSX vSphere supports firewall rules based on MAC sets (L2)
• Distributed firewall in NSX vSphere now supports detection of established TCP sessions during “hot" DFW insertion (it used to drop those connections).
• ACLs in NSX MultiHypervisor don’t apply to logical switch ports (VM NICs). The slides correctly state that ACLs are only applicable to router and L2 gateway ports, but then in the audio there is a little confusion around it.
• NSX MultiHypervisor has two ways of doing security. Security Profiles that apply to logical switch ports (which connect to VMs) and ACLs (which can also include L3/L4 rules that and apply only to router ports).