[pilif]

The firewall on a local machine might suffer from exploits, thus still allowing access.

Or I might want some services open to my lan and only a smaller subset opened to the public (something the personal firewalls built into many OSes can't do)

[kalleboo]

> The firewall on a local machine might suffer from exploits, thus still allowing access.

Is a updated firewall from Apple, Microsoft or ipfw more or less likely to suffer from exploits than a cut-rate device from ASUS, Netgear or Linksys that hasn't been updated in years?

> Or I might want some services open to my lan and only a smaller subset opened to the public (something the personal firewalls built into many OSes can't do)

That may be fair enough but that's just a reason to improve the firewalls in the OSes. As soon as you tether to your phone or use public WiFi you're going to want a solid local firewall anyhow.

[justincormack]

The idea is that it can be turned off from the machine itself, so eg if you get hacked via a website or email, your firewall might get disabled, while another box would also need to be hacked. (Of course things like UPNP give the machines control over the router so making this moot, which is why I dodnt run them).

[kalleboo]

> Of course things like UPNP give the machines control over the router so making this moot

Yep this was exactly my point