It`s the NAT bit that gives routers the inbound security
add SPI.
The recommendation to avoid multiple firewalls is ONLY a configuration and
maintenance issue. It adds complexity and to ensure that data flows properly,
they all need to be adjusted if ether is reconfigured. Ergo: use one and learn to
configured it well.
A hardware firewall appliance, as apposed to a simple router with NAT+SPI,
is a great solution that most of us can't afford. Having one placed BEFORE
a router is a great solution as it protects all down stream LAN connections
with one common configuration. Without that, we opt for a personal firewall on
each LAN system, trading more configurations to save $$$.
btw: most routers used by home users should not be considered Firewalls, as the
only firewall control that is available is port forwarding. A firewall normally
controls protocols, source/destinations that are accessible, and ports which
can be used, none of which are available on common routers.