Re: an inetersting approach
It would be interesting to try what Negative suggests.
Personally I would suggest that concerned users go buy an `el cheapo' pc from the local used computer shop, or drag one out of the spare junk closet.
Then put OpenBSD on that sucker. No keyboard, monitor, or mouse required. Get a couple of NIC's, and a switch. Once OpenBSD is installed build the packages for `ipfilter' , `tripwire', and 'host sentry'.
Now you can set up an internal network behind your ipfilter firewall, set up the firewall to accept ftp connections from inside the firewall only /* firewall admin */ etc. etc.
A host firewall is not the best way to go even if you only use one computer. The insta-firewalls like tpf and zone alarm are cool, but the worst possible thing you can have is a badly configured or incomplete firewall setup. Worse than none at all for sure.
ipfilter is really great, it does not work with any *nix OS's that use glibc, so that rules out Linux except for really old versions.
you can get OpenBSD at http://www.openbsd.org
ipfilter is a default package that comes with OpenBSD, FreeBSD, NetBSD and several others.
Some hints on setting it up can be found at:
http://www.freebsddiary.org
http://coombs.anu.edu.au/~avalon/ip-filter.html
And as always a good place to get the packages mentioned above and others for *nix is http://www.freshmeat.net
It is one of the firewall configs of choice for a good number of High Vis and High Risk sites, should note that ipfilter is hardly ever cracked if set up properly, but any firewall can be bypassed by the truly determined.
Check out sites to see what they run /* will only show what server is, not always indicative of firewall OS */ at http://www.netcraft.com