Well as I mentioned there it doesn't necessarily have to be on the host, that's just one option. At home I use the linksys based solution I mentioned in my edit which was more the way I was thinking - and probably more comparable to commercial firewall appliances like you might be thinking of but deployed internally and on a cheaper scale.