G'day Silvertones,
as I said, I'm not familiar with the PC Tools firewall, but I would certainly expect that there is some management mechanism to allow you to poke a hole in it for your Toshi.

However, to really secure this so that there isn't an inadvertant hole that someone else might sneak through when you're elswhere you need to make sure the local, approved address (all this traffic management will be IP address based) of the Toshi. is not likely to be replicated at the library.

There are 3 "private" address ranges available for use that never appear on the internet. They are:
a) 10.0.0.0 to 10.255.255.255 - this is a single class A range. Mask is 255.0.0.0
b) 172.16.0.0 to 172.31.255.255 - These are 16 class B ranges. Mask is 255.255.0.0
c) 192.168.0.0 through 192.168.255.255. These are 256 class C addresses and thus normally have a 255.255.255.0 mask

The library network will be on one of these 3 sets of addresses, as will your home LAN.

You will most commonly see either 192.168.0.0/24 (the /24 means 24 bit mask, or 255.255.255.0) or 192.168.1.0/24. The next most common is 10.0.0.0/8 (the /8 is, of course, an 8 bit mask or 255.0.0.0)

If you select a very uncommon range for your LAN at home then you can be reasonably confident of leaving your firewall open for that range. I would also consider using a non-standard mask for the local LAN IF your router/access point will allow and the built in DHCP server can cope.

Perhaps use a 172 range, like 172.29.0.0/28 - this would make available the address range 172.29.0.0 to 172.29.0.15 (14 usable addresses the lowest is always the network identifier and the highest is the broascast address so you always lose 2) - the decimal mask would be 255.255.255.240 - a most unusual mask to use with a class B address as well as being a largely unused private range allocation. Not perfectly secure, but the first step in security should always be obscurity. The reason for the non-standard mask is to further secure things. Even if you happen to connect to a LAN using the same base address range (the 172.329.0.0 part) your machine will still be inaccessible UNLESS they have also picked the same mask.

--=-- My credo: If it's worth doing, it's worth overdoing - just ask my missus, she'll tell ya laugh --=--
You're only paranoid if you're wrong!