In an effort to stay on topic, i might as well mention that personal firewalls like blackice and zonealarm are stateless,packet filtering firewalls, in that they can accept or deny a packet based on a set of rules such as port number or ip address, but they don't know if a packet is the result of an authentic request from the client machine or part of an attack. Whereas stateful firewalls like the netfilter part of the 2.4 linux kernel (of which iptables is a part) have a memory and can tell if a packet is the result of a legitimate request.
As a rider to this i might also add that stateful packet filtering/mangling is not the panacea of network security either, as there is already a well known flaw in the ftp PORT command allowing an attacker to connect to any port if he has already comprimised (by some other means) the host behind the firewall.
There's no such thing as 100% security when connected to a network.