There are a few things which are typically referred to as "firewalls", with different purposes. All of them however control access to a network by restricting which ports and IP addresses can be connected to.
## Software Firewalls
This is the thing built into Windows and other operating systems that pops up boxes saying "Do you want to allow [thing x] to connect to the Internet?". They're designed to prevent malicious software that has been installed on your machine sending your data to other places, or bulk mailing people. They can also be used to restrict connections coming in to your computer.
## Hardware Firewalls
These come in various forms. The most common is to have it integrated with an ADSL router or similar, but they can also be found on a much larger scale in corporate offices and data centres, where they're hugely powerful machines in their own right.
A hardware firewall is often the first thing sitting in front of the network after the Internet connection coming in, and is responsible for restricting what people outside that network can access. For example many corporate networks have internal file servers, which should be accessible from remote offices, but not to anyone else.
The firewall processes each incoming connection, and determines if it should be allowed to connect to the destination it has requested. While that can be done with a software firewall on the server itself, having everything centralised in one (or several) devices dedicated to the purpose provides a single place to check for security policies.
## NATing Routers
These are commonly mis-described as a "firewall", and while they do provide some security against unwanted connections, that is just a side effect of their true purpose.
NAT stands for Network Address Translation, and was invented to work around the problem of having a limited number of IP addresses available to ISPs. Typically each customer gets a single IP address, but they have multiple devices that need to make use of the Internet connection. By using NAT that single IP address can be shared between all the users on a network.
The router itself will be assigned the public facing IP address from the Internet provider, and also has an internal network address. For the sake of this example lets say it's something like this:
Internet: 123.123.123.123 / Local: 192.168.1.1
The other computers on the network will have only a local IP address, for example 192.168.1.341, which means they are unable to directly contact other computers on the Internet. Instead they are configured to use the router as a gateway device; any connections outside the local network they wish to make get sent to the router's internal address at 192.168.1.1.
Once the router receives that request it makes a record of the source, destination, and several other identifying features of the connection. It then rewrites the data packet, changing the source address to it's external IP (123.123.123.123), and forwards it on to the next gateway router at the Internet provider. That packet then gets routed normally, bounced around the Internet, and (hopefully) a response comes back. The router then takes that response, and checks against it's list of connections from internal machines. If all goes well it will find a match, and once again rewrite the destination of the packet before forwarding it back to the original source.
Through virtue of having the external IP address a NATing router is also an effective firewall. All connections from the wider Internet go via that router, which by default will reject any incoming connections (as it can't find a match in it's NAT table). However, it can be configured to forward all incoming connections on certain ports to a specific IP address internally, thereby working much like a normal firewall (although more error prone due to the side effects of rewriting packets).