A hardware firewall will typically block all bar specified / related or established incoming packets. Sometimes this is achieved by packet snooping, sometimes snooping is not enough. Often it is not possible for the firewall to determine the contents of a packet because of encryption or simply because the application data is in a structure it does not understand.
A software firewall does all the above plus it can see what program is sending / receiving the packet and can therefore provide additional protection. However it is subject to the whims and errors of the computer user. Hence administrators have had little trust for these prior to being able to lock down the desktop, as is now common practice.
A web proxy is a common additional measure to manage the single biggest exposure area. Internet Explorer, which will waltz straight through the above measures as if they weren't there. However, even this is not perfect, it is possible to run a full VPN through a web proxy using the CONNECT method used so you can securely access your bank website or the like.
Personally I use NAT internet connection because it inherently blocks many incoming packets and anti-virus. I don't bother about a software firewall because ... if I download a program to run I'll just tell the firewall to let it talk (probably) defeating the software firewall's protection. Antivirus, kept up to date, is a must.
hardware
prices 
