(no title)

Repeat after me: NAT does not provide firewalling in any way.

What you think as 'firewalling' is just inability to route packets to your LAN[0] for someone further than your immediate gateway and this is true only until you have no active inbound NAT sessions.

If for some reason there is a session what allows anyone to contact the machine on your LAN (ie Full Cone NAT) then... anyone can contact your machine behind the NAT. I'm not sure there any router or appliance what would do that automatically anymore (because by default outbound session would create a thing called Address and Port Restricted NAT in TFA) but it's quite easy to do this by misconfiguration or some automatic mechanism, like UPnP.

If the problem is in the 'default configuration of many ISP-supplied routers' then you really should address that and not treat NAT as a firewall.

And last, but not least: every modern OS comes with a built-in firewall. Even Windows' one is pretty decent to block anything not explicitly allowed. There is no network scanning in IPv6, it's pointless or requires to sit on the wire to listen for NDP - and at this point NAT wouldn't help, too.

[0] or sometimes the packets are routed pretty fine in, it's just the absence of the state and/or proper rules what forbids the answer to be routed back. If you ever needed to troubleshoot an assymetric NAT you would know this.

ADD: this should had been a reply for your further comment, of course, but I leave it here.

... NAT does not offer 'implicit firewall'

It's just what Average Hacker somewhere on the net can't route easily into your local network. If this is no longer an Average Hacker or he is sitting on your wire then the only thing what your NAT 'offers' is your false sense of security.

And by the way, nobody, noone forbade you from having explicit firewall rules denying anything from anywhere, not explicitly allowed. Just like it is done in a proper IPv4 configuration.