Harkoliar -- basically you want your computer to be invisible. If somebody probes your machine you don't want them to get in, and it's even better if your machine doesn't send them any information at all. It sounds like you're close, but still have a few ports open that people could use to gain entry. The tricky part is figuring out if you actually need them for something, 'cause you might be running some program that requires them to be open.
AFA being 1 in a million, that doesn't protect you as much as you would think. There are script kiddies who scan large blocks of I.P. addresses, thousands at a time, looking for any that respond. Once they find one, they have pre-written utilities that probe for specific weaknesses. They don't care if you're a billion $$ company or a home user, you're nothing but an active I.P. address to them. That makes you a target.
If you've got an hour to kill, that
WWW.GRC.COM site has a page describing a denial of service attack they got hit with 2 - 3 years ago. It does a good job of explaining how these script kiddy utilities work, and how some punk kid (did I say that out loud?) can take over your machine.