If you use the Linux based firewall technology
netfilter, which interfaces like iptables (Proxmox VE currently uses that one) or nftables (a newer, easier to write manual rules for as a human) build upon, then you use a FW technology which is backed into the Linux Kernel network receive and transmit path. That means, there's about no way that a rule gets circumvented there, for that a grave kernel bug need to be there or introduced, and while the kernel is certainly not bug free, firewalls are just used so much around the globe, that it's a subsystem which is quite vetted and tested in practice.
So as the only real vector are network packets, and the FW is just so deeply engrained in the Kernel network packet flow, it seems about impossible to enforce some magic route around it (besides using grave (zero-day) bugs, which are rather unlikely)
If you're more interested in learning about that technology check
https://netfilter.org/
And
https://en.wikipedia.org/wiki/Netfilter plus the linked (re)sources.
The penetrable firewalls are seldom loss or circumvention of basic firewall function, normally they are either hijack the host providing the FW itself, this is quite common for proprietary ones which seems to just not be able to enforce a secure default password or keep their backdoors at bay.
Then there are the whole attack class where a loose configuration plus some extra can be misused, often they need already inside access (e.g., to open a connection to the outside where connection tracking tries to allow that the counterpart can talk back securely) or missing some rules etc.
Can the most talented organization penetrate a properly configured firewall with no help from an inside machine? If so, how so?
State actors with money, legal and illegal resources and time at their hand - I'd not bet against those to be honest.
And even if they would not be able to penetrate your perfectly setup shiny firewall they could always infiltrate your org in other was (e.g., through cleaner or maintenance personnel or by threaten a colleague) or just build some (bogus or not) case and seize your stuff in a legal way.
So for the sake of this question to make sense lets assume you do not brought upon you the wrath of a capable government, and talk smaller stuff, script kiddies, mysterious hacker orgs (i.e., script kiddies++) or some good skilled people just wanting to show off or need money and get paid by the competition.
Those, I'd wager, have actually a quite hard to impossible time to figure their way around a well-thought-out firewall setup basing off Linux (or BSD, e.g., pfSense) technology. Social engineering and the like are normally the easier way.
