Firewall on Linux:
I think firewall is a must thing as it hides your system from the outer world.
A perfect firlwall makes ur presence stealth thus no one knows if there is some target or not , fairly it is a big differnece between
[without firewall]
1:knowing there is a target and it is blocking it's port . (causing attacker to try something new)

[with firewall]
2:Not sure about target is present or not . ( causing the attacker to first to know if there is target really present or not and then follow the first point).

Further:
a small list of things that are possible:-
* Throttle bandwidth for certain computers
* Throttle bandwidth TO certain computers
* Help you fairly share your bandwidth
* Protect your network from DoS (Denial of Service) attacks
* Protect the Internet from your customers
* Multiplex several servers as one, for load balancing and enhanced availability
* Restrict access to your computers
* Limit access of your users to other hosts
* Do routing based on user id (yes!), MAC address, source IP address, port, type of service, time of day or content.

Linux advanced routing and badwidth control

cheers

I do not claim to be an expert but my understanding is that ports are not "closed" unless they are firewalled.
How are the ports "closed" without one?

If there is no process bound to a port then nothing can connect to it and any connection attempts will just get a connection refused packet sent back. Same as if you firewalled it with 'REJECT'. Its still a good idea to run a firewall though as you would need to pay very close attention to what's running on your box otherwise to be secure.

I think the term "closed" in our different usages is quite imprecise.
I would not call a port closed just because nothing was being run on it, that seems quite misleading. I would say nothing was being run on it.
I do not think no services being run on a port and having a firewall reject or drop connections to it are equal. I think it is probably dangerous to belive it is.

Well, by definition a port is 'closed' when it is not accepting connections, and 'open' when it does. But yes, considering that, there are two kinds of closed ports..non-listening and firewalled.

Well, if one only uses the package manager of their distribution with
official repositories and/or officialy listed ones, and otherwise
compiles known programs from source (i.e. no little code pieces from script
kiddie sites) things should be relatively safe, seriously.

It comes with the control one has over the system.

What kind of 'stealth' are you referring to?

If you are referring to -j DROP and/or Windows 'Stealth' firewalls..that won't work.

It's a common misconception that any marketed 'stealth' setting or simply completely dropping packets that reach you will turn you invisible.

On the contrary:

As soon as an attacker sends packets to an IP, and nothing at all gets returned they know 'oh lookie, "stealth" firewall'.
This is because if you scan the ip of an ISP, and no computer is currently associated with said IP, the routers of the ISP will return a
'port not reachable' ICMP packet.

Using IPtables this -can- be of course emulated, faking such responses

Instead of using -j DROP or a mere '-j REJECT', actually use '-j REJECT --reject-with icmp-port-unreachable'.

Try it, you'll like it. :>

best firewall then? (advanced packet filtering, ping blocking, packet fragmentation etc etc.. )

iptables

Use firestarter, guraddog or shorewall to configure it.