Do I really need a firewall?

"Let's think outside the box for a moment.

Sure, you can give in to the culture of fear and install all sorts of software on your computer to create an illusion of security. The IT security industry loves that, that's actually how their protection racket works ... or you can play it really safe by sticking to a simple set of rules:

do not keep personal and/or sensitive data on a computer connected to the Internet. Use encrypted external storage (Pen Drive, SDHC card, USB hard drive, etc.) where applicable.
if you have a home network to protect, use a virtual private network (VPN) connection as an additional layer of security.
use virtualization for ALL your Internet activities, ""disposable"" virtual machines are free (and so is Sandboxie). Destroy the virtual machine (or sandbox) immediately after each online banking session or financial transaction (redeployment of a VHD backup is only a matter of seconds).

Although this sounds a bit of an inconvenience, you certainly will not have to worry whether (enter the name of your favorite antivirus software, firewall, malware scanner and other popular time and resource wasters here) may have been protecting you sufficently or not. Don't buy into their promises, think and take matters in your own hands."

"Does not having a firewall open up any dangerous vulnerabilities that an antivirus cannot cover?

Don't rely on software to keep you secure, because it won't. Today's anti-virus software won't ‘cover’ any likely infection scenario: it is almost completely helpless in the face of an overwhelming quantity of generally-web-exploit-installed malware.

A firewall serves two purposes:

1: Denying access to sensitive ports to incoming traffic. This function is unfortunately necessary because Windows cannot be configured to just close the damn ports (139-145, 445 etc) in the first place.

The built-in Windows Firewall in XP and later is fine for this purpose; you'll also be OK if you're behind a NAT router and there's nothing else untrusted on your LAN.

2: Denying outgoing access to the network to particular applications. This is the ‘egress filtering’ feature that the firewall vendors trumpet as being an essential feature that the Windows Firewall lacks.

However I would strongly dispute its efficacy as a security measure: once malware is installed on the local machine, you've already lost. It can (and indeed many do) disable the rules of popular firewall software to let itself out.

Egress filtering can be a useful way to keep an eye on what otherwise-trusted software is doing on the network, and it can often catch network access from a naïve exploit-downloader that doesn't attempt to circumvent firewall rules. (But at that point, the only safe course of action would be, as always, to re-install the OS.) But essential for security? No, not really."

"Though tagged for Windows, a few words on the built-in application firewall in Mac OS X:

This type of firewall allows you to control connections on a per-application basis, rather than a per-port basis.
It only controls incoming connections. All outbound connections are allowed.
All applications [..] that have been digitally signed by a Certificate Authority trusted by the system (for the purpose of code signing) are allowed to receive incoming connections. (source)

I wonder how this really makes things any more secure. In other words: the type of firewall might matter a lot."