Honestly? It depends on how saavy you are or are willing to become.
You realistically don't need any software firewall if you have a properly configured router. If you block any port that you're not using (for example port 80) or redirect all the other ports to a DMZ address. As well disable Universal PnP on your router (if you have it) and you'll basically be okay.
The trick is to monitor your personal network from inside and outside your router.
If you have one Windows PC, there's not much you can do to check yourself out. If you have more than one PC or are using Linux/OSX then download Nmap. The sad thing is you can't scan yourself on a Windows box, but you'll be able to scan your router to be double sure it's good.
Open up your command line, browse to the directory with Nmap and run:
nmap 192.168.1.0-255
It'll take a few minutes to enumerate your network but you'll get a list of all the devices on the network and what ports are open.
Bearing in mind that your main concern here is everyone outside your router, pay specific attention to that.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\blaine>cd\
C:\>cd nmap
C:\nmap>nmap 192.168.1.0-255
Starting nmap 3.93 ( http://www.insecure.org/nmap ) at 2006-09-02 20:13 Eastern
Daylight Time
Interesting ports on 192.168.1.1:
(The 1667 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
80/tcp open http
MAC Address: 00:XX:XX:XX:XX:XX (Cisco-Linksys)
Skipping SYN Stealth Scan against beast4.XX.XX.comcast.net. (192.168.1.100) be
cause Windows does not support scanning your own machine (localhost) this way.
All 0 scanned ports on beast4.XX.XX.comcast.net. (192.168.1.100) are: unknown
Nmap finished: 256 IP addresses (2 hosts up) scanned in 79.219 seconds
C:\nmap>
Okay, so I have 2 computers running on my network (your router is a computer, really) and you can see I can't scan myself because Windows sucks like that.
If you had another computer, you can check to see what services are listening on your actual computer. That's where your software firewall does most of it's work. Making sure there are no malicious programs opening up ports.
Next run a scan on your IP address (find it by going to ipchicken.com)
C:\nmap>nmap XXX.XXX.XXX.XXX
Starting nmap 3.93 ( http://www.insecure.org/nmap ) at 2006-09-02 20:28 Eastern
Daylight Time
Interesting ports on XXXX.XXXX.XXXX.comcast.net (XXXXXX):
(The 1663 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
80/tcp open http
222/tcp open rsh-spx
223/tcp open cdc
443/tcp filtered https
8080/tcp open http-proxy
Nmap finished: 1 IP address (1 host up) scanned in 2.844 seconds
C:\nmap>
And this is how the world sees your router. I set up my SSH server and some other stuff so we could have some open ports.
So long as you know what every port listed is, you know what program it's going to, you're relatively safe.
See port 443? That's going to my DMZ address. There's no computer at that address I have set up. So there you go with Open, Closed and Filtered ports.
That's basically it. All a firewall does is block ports for you. You can physically block them yourself, but you suffer the convenience of having to open/close ports when you download a new program or for when you want to start up a service.
I personally enjoy it. I think it's fun to really get your hands dirty when it comes to networking. I know, first hand, exactly what ports are open on my computer, I know exactly what program is using it and I know exactly what my router is displaying to the rest of the world.
In conclusion, your firewall blocks ports. Block 'em yourself and there's no real need for a software firewall.
