A recent post on Slashdot brings the LAND attack, an attack from eight (8) years ago in which a connection is initiated to a service with a SYN packet with the source and destination IP address set to the server's address. These attacks cause the server to infinitely loop and become nonresponsive for 15-30 second. Repeted attack can prove to be a fairly effective DoS.
In response, the current work-around according to the SecurityFocus vulnerability entry is to enable a host firewall to stop any and all connections to open ports. The vulnerability is fixed in all operating systems except Windows, affecting versions from Windows 95 up to and including Windows 2003 Server and Windows XP Service Pack 2. The users of Slashdot apparently think that firewalls are "basic security" and somehow mitigate this problem in its entirety.
Firewalls are not magic. They only allow an administrative control over the configuration of misbehaved services that bind to undesirable interfaces, or at the very best allow finegrained administrative control over what network ranges can connect to a port. If the connection is legitimate, or at least legitimate in the eyes of the firewall, the packets make it through.
More pertainently, Windows is now immediately not suitable for running an Internet-facing Web server on. As an example, Microsoft's Web site is running on Windows. Using one of the LAND exploits targetted at port 80, any user can take out Microsoft's main Web site with a light weight and effective Denial of Service.
As for desktop Windows machines, they generally hold a number of open ports for netbios and RPC. From inside the local network, these machines must be able to communicate with eachother and with themselves to be used effectively. Any remote exploit to enter a network, including social engineering (worms in e-mail and all flavors of viruses and trojans), can be used to take the network down. Networks with Windows-based file servers are made up of many hosts which each have the ability now to single handedly take down the file server.
In many situations, it is very difficult or even impossible to prevent a LAND packet from penetrating the defenses of a network. If the attack comes from within the network, or if it is aimed at a node which must host services to the outside world, then there is a 100% chance of success for LAND attacks on Windows machines. Because of this, firewalls cannot be relied upon as a cure for this and many other attacks.
Other attacks that can evade the firewall include most likely 99% or more of typical desktop network traffic. Desktop computers are very promiscuous on the Internet and connect out to instant messaging, chat, and Web services to get data from the outside world. This data always comes through the firewall, and can be used for an attack to inject code such as worms into a machine remotely. These situations can not be protected with a firewall because that would require disabling access to these services entirely.
Firewalls have their uses, but they're very, very minimal compared to the amount of faith people put into them. Firewalls can only stop connections aimed at specific destination addresses; it is possible in many situations for spoofed packets to penetrate a firewall allowing certain traffic and blocking other traffic on an interface. Firewalls do not protect servers from anyone who can connect to them, and they do not protect "legitimate" outgoing connections from fetching illegitimate data. A high-quality, up-to-date reactive content filter is most similar to most peoples' view of firewalls, and even that won't stop everything.