Even the little hardware NAT boxes that you can get for
sharing a DSL connection or cable modem are way better than any
'software firewall' (The NetGear RT311 and RT314 are extremely
sophisticated and flexible NATs and start at less than $100 - they do
full NATing, allow port forwarding and filtering to a protected
network (NetGear Firewalls and NATs).
I'm a big fan of these boxes, and I encourage anyone that I know who is
getting a broadband connection to consider shelling out the extra money (or
put it on their christmas "wish list") for one.
So... what does a 'personal firewall' actually do? Well, effectively
it listens on all the ports on your system. This provides no real
additional security over turning off the services that you don't use.
I'll repeat that - it provides no real additional security over
turning off the services that you don't use. (Maybe it'll block
trojans from phoning home, but A) if you've run a trojan your system
is completely compromised"
The article you're quoting is fairly typical of the sort of technical
bigotry that is rife in the area of compurers generally (I know - I'm
regularly guilty of it myself). The author thinks personal firewalls are a
waste of time because he doesn't think he needs one.
There's one thing that a "personal firewall" can do that no external box
can do - it can verify that outbound connections are being made by services
that are allowed to make them. Finding out that you've got a trojan is the
first step to rectifying the problem, and a personal firewall may be the
only way you will find out. (Unfortunately, for the not technically
inclined, asking for verification about outbound processes doesn't help
much, because it either causes terminal confusion, or they turn the
prompting off, and everything is allowed access the internet. It would be
nice if there was a setting that allowed personal firewalls to ask a
centralised database on the internet of a particular client application was
"safe", and only prompt the user if the application was unknown).
Both SoBig and Blaster would have been far less "successful" if more people
were using something like ZoneAlarm.