IO
I suspect we'll end up violently agreeing with each other at the end of the day.
I was only taking technical exception to your assertion that "a firewall will do no more than a NAT router." Not correct, but having reread your post I can see what you were getting at. The level of protection provided by both is the same due to the nature of the risk the average home user is exposed to
Basic NAT devices are not real firewalls, but they are usually considered ‘good enough’ for most home networks. By not forwarding requests or probes that originate from the internet to your LAN, a NAT device blocks most mischief. A simple NAT device cannot keep hackers from running DOS (Denial Of Service) attacks on you, but individuals rarely get attacked like that. It will keep out people looking for file shares, rogue mail servers and web servers, and most port based exploits. Most also protect against SMURF and WinNuke atatcks. With a NAT device and a good anti-virus program, you should be safe from the most common kinds of internet attacks.
Over and above this an SPI firewall allows the NAT devices to filter out specific kinds of data on your router like SYN flood attacks, IP Spoofing, Teardrop attacks and others. SPI is a general term that can describe a router that filters more kinds of attacks than basic NAT by closely examining packet data structures. Of course, each manufacturer will implement different kinds of SPI so not all SPI routers are equal. Routers with SPI can log attacks.
I do however wholeheartedly agree with you that basic NAT is sufficient protection for most home users and the risk of advanced denial of service attacks is negligible.
I also agree that the risk to home users from spyware/malware that they've inadvertently downloaded is orders of magnitude greater and in this instance a hardware firewall is a chocolate teapot.
TOG