That said, “hardware” firewalls often provide better protection. For starters, if a vulnerability is found for that type of firewall hopefully an attacker exploiting it would only gain access to the firewall device itself. If you are running a firewall application on a domain controller or a web server and the firewall gets compromised the attacker also gains immediate entry to these important systems.
Another consideration is the impact to system performance. Depending on the amount of network traffic coming into your system it can use a great deal of processing power and system resources to assess the various packets and either block or allow them. By running a firewall on a system that has other purposes the resources will have to be shared and the application, the firewall or both will suffer from a lack of resources.
Many cable or DSL routers designed for home use come with a limited built-in firewall. These firewalls tend to be basic packet-filtering devices that simply allow or deny traffic on particular ports depending on how you configure it.
Ports are like channels for your network traffic. Just like you might have to tune your television to channel 35 to watch your favorite TV show or set your radio to a particular frequency to get the music you like to hear, you must also listen or receive traffic on certain channels, or ports, for different types of Internet and World Wide Web traffic.
The default port for web traffic is TCP port 80. In order to access most web sites your computer must initiate a connection on port 80. In this case the initial request for port 80 traffic is coming from your computer. However, unless you are hosting a web site on your computer there is no reason for any external device to try and connect to your computer on port 80. So, you can safely block all incoming port 80 traffic without affecting your ability to surf the Web.
Using this same example, you can essentially block ALL incoming traffic. If your computer is not acting as a file server, FTP server, web server or providing any other service to external computers then there is no reason for any external computer to try and establish a connection with your computer. Just as was illustrated above, you can block all incoming ports without affecting your ability to communicate out on those same ports.