The general purpose of a firewall is to protect a network against malicious access by using a single machine as a firewall. This does imply that the firewall is to be considered a single point of failure, but it can make the administrators life a lot easier. In a perfect world where you knew that every daemon or service on every machine was perfectly configured and was immune to, e.g., buffer-overflows and any other imaginable problem regarding its security, and where you trusted every user accessing your services to aim no harm, you wouldn't need to do firewalling! In the real world however, daemons may be misconfigured, exploits against essential services are freely availiable, you may wish to choose which services are accessible by certain machines, you may wish to limit which machines or applications are allowed to have internet access, or you may simply not trust some of your apps or users. In these situations you might benefit by using a firewall. Don't assume however, that having a firewall makes careful configuration redundant, nor that it makes any negligent misconfiguration harmless, nor that it prevents anyone from exploiting a service you intentionally offer but haven't recently updated or patched after an exploit went public. Despite having a firewall, you need to keep applications and daemons on your system well-configured and up-to-date; a firewall is not a cure-all! The word firewall can have several different meanings. This is a setup or program, for Windows commercially sold by companies such as Symantec, of which they claim or pretend that it secures a home or desktop-pc with internet access. This topic is highly relevant for users who do not know the ways their computers might be accessed via the internet and how to disable these, especially if they are always online and if they are connected via broadband links. This is a box placed between the internet and an intranet. To minimize the risk of compromizing the firewall itself it should generally have only one role, that of protecting the intranet. Although not completely riskless, the tasks of doing the routing and eventually IP masqueradingrewriting IP-headers of the packets it routes from clients with private IP-addresses onto the internet so that they seem to come from the firewall itself are commonly considerd harmless. This is often an old box you may have retired and nearly forgotten, performing masquerading or routing functions, but offering a bunch of services, e.g., web-cache, mail, etc. This may be very commonly used for home networks, but can definitely not to be considered as secure anymore because the combining of server and router on one machine raises the complexity of the setup. This box performs masquerading or routing, but grants public access to some branch of your network which, because of public IP's and a physically separated structure, is neither considered to be part of the inter- nor intranet. These servers are those which must be easily accessible from both the inter- and intranet. The firewall protects them all. Doing routing or masquerading, but permitting only selected services to be accessible, sometimes only by selected internal users or boxes; mostly used in highly secure business contexts, sometimes by distrusting employers. This was the common configuration of a firewall at the time of the Linux 2.2 kernel. It's still possible to configure a firewall this way, but it makes the rules quite complex and lengthy.