lets take watchguard for example. their appliances have so high level of filtering that it would take a day to explain it. instead of opening port 80, have some rules in it, scan the responses for thread factors, do av scan, classification (big brother) and so much more. watchguard is just one of them. fortigate the last time I used one lacked behind in the depth of control but tries to implement the same principals.
real firewall actually blocks stuff. no matter which side of it has the fire. and all cisco setups I have seen have happily passed infections in and out. I have also witnessed on several occasions how devices like watchguard XTM's block bad guys even from infected laptops on the inner side.
and in my opinion these are the differences between firewall and a nat box.
back to arend's comment, isn't your pc a hardware device. so if you have winxp firewall turned on, you have a hardware firewall? again, that definition is so vague that it has no meaning.
