NAT is a good "disallow everything by default" firewall. If my router's firewall had a "disallow all incoming connections by default, it would be great, although I guess I should manage it with iptables, which is machine-specific.
Most ipv6 enabled home routers have firewalls with a "block all incoming connections except for listed exceptions" feature. This effectively gives you the same security as NAT but without the port mangling (can run multiple machines on the same port).
