IMHO, having a router is step 1... Since it will do DNAT, which has the effect of blocking any incoming connections that were not initiated from the inside.
I used to use Netgear [my last one died on me a year or two ago], but Linksys has moved up since, and the WRT54GS is a thumbs up... It will run a custom Linux based firewall/router firmware. Its also very cheap, and with the mentioned firmware, will have the same features as a router that you can expect to pay thousands for.
My last blog post here...
http://www.devside.net/blog/category/web-server/ has some other info, CIS and SANS.