Obviously the most ideal situation is going to be to put the server behind a dedicated firewall rather that run the border firewall on the host itself. With the firewall running on the server, if the machine is compromised (say by some exploit that allows root access), then you are basically screwed. Once an attacker has root then the game is over (they can modify or bypass the firewall however they like). With a dedicated system you have that added buffer of separation, where they may have the internal host, but the border firewall is still secure. That isn't a major factor, but it still can save you with exploits that utilize some kind of "dial-home" function or drop irc bots on the compromised system.
Long story short (or if you've skipped over the above
), go to ebay and buy a $50 box, throw some RAM in it and setup a dedicated firewall. If you don't have $50 then you run a host firewall and do the best you can to secure it otherwise.