Outgoing and incoming connection requests:
Outgoing:
Say you are surfing the web. You click on a hyperlink. The browser sends a connection request to the DNS server/s you have sepcified. The request leaves you computer and exits the LAN via the default gateway. If you are using NAT, the router/server replaces the IP address in the TCP/IP packets with that of its external connection to the internet and keeps a track of where the packets came from. It then sends the request onto the naemserver which responds and send some packects back to confirm the connection. The router/server takes the paackets and replaces the IP address with the one of the originating machine which then picks up these packets. Hence the connection is established. however the name server sees the request as having come from you router/server and has no knowledge of the IP address of the PC that made the original request. In this way your LAN IP's remain private to the LAN. This has several advantages, firstly it means you can add a network to the internet and only use 1 IP, secondly no-one on the internet can directly address any of the machines on your LAN.
Incoming:
Say someone wants to FTP to a machine on your LAN, for valid or malicous reasons. They will send packets to the external IP, that of your router, requesting a connection on port 21 usually. If the firewall denies the request for a connection they cannot connect to your LAN. If your using a hardware router it's likely there will be nothing to FTP to. In this case if you had a machine you wanted to access you would have to enable 'port forwarding'. This basically means you tell the router to forward all requests on the FTP port to a particular machine which is running an FTP server. If you are running NAT through a server you could just put the FTP server on this machine. Neither of these methods is the most secure, but I don't see you needing a demilitarised zone for a home network!
If you keep a firewall on your PC's as well as the fireall on your router watch out for exnexpected behaviour. If you deny all incomming requests on your PC's within the network you may not be able to share files etc. however this depends on what server technologies you are using.
I don't personally firewall anything inside my LAN except for the windows machine. However this does mean that if someone breaks in they have unfettered access to all of my machines.
the subject of security is very big and ridiculously complex. howver the easiest way to break into a LAN is to get in via some indirect method, ie. a virus in an e-mail. As you bring it into the system the cracker does not have to break through your firewall and exploit whatever insecure software you happen to be running. In terms of effort for the cracker this makes much more sense.
Conclusion, make your network reasonably secure and buy some good anti-virus software, or do the above and just don't run windows...
Most exploited machines are used to connect to another exploited machine and then another and so on. Crackers do this because most people don't keep detailed logs of their network traffic. In this way the cracker can be reasonably sure that when they do launch an attack from a given machine at the end of a long chain it will be impossible to trace the origin of the attack. The trace will end at a, probably blissfully unaware, users machine that keeps no logs of the network activity.
If your really paranoid employ an Intrusion Detection System that will warn of suspicious activity on your network so that you can then take appropriate action.
Hope this helps!