Well, the best installation would be to have a seperate firewall box upstream from your server (cool graphics to follow
(internet) =====> (firewall) -------> (webserver)
If you don't have ports open, you can't attack them. That's as simple as it is. But it may be good just to keep people from scanning and probing the box.
Also, you can set it up to help protect from becoming the man in the middle of an attack; i.e. Someone magically roots your box through an insecure CGI script, manages to open a remote shell on a high port. Now if you had a firewall, they still couldn't get in to use the shell they uploaded for you. But also, say they begin using your box to jump to others - not good...