See above; in front of the server, there's no state to track in the first place, heh.
Fish, meet bicycle.
I think that is the part that some people aren't getting. You have a network just sitting there. A syn packet arrives for port 80 to an http server. You ARE going to allow it because that is what a web server does. Now if you have a firewall in front of the load balancer you have a three-way handshake that goes on with the firewall. Then another one between the firewall and the load balancer. And then possibly yet another one between the balancer and the server if you aren't using persistent connections in that part of the network. So now you get a DoS request that is as simple as "GET /index.html" or worse, some huge file, which you are also going to allow anyway because there is no way to tell a legitimate request from a flood of requests from a bot net or someone posted your link on Slashdot or whatever. So now your web server is flooded with "legitimate" requests that pass all of your policy but you are being overwhelmed by the sheer volume of them and they are originating from thousands of IP addresses from all around the world. They are all getting through your firewall. So now it is just a matter of which is the weakest link in the chain. If you have enough servers and bandwidth, the firewall is often that weakest link.