No SPI Firewall...?!?!

Sadly there isn't Firewall on it, however if you have NAT on it, it will block most of the harm away.

Yep, NAT will be enough for home use, just make sure that NAT is on and its sharing DHCP address to home computer(s).

Firewall as meaning varies a lot between manufacturers. :/

The AirPorts only provides a basic NAT-type firewall interface. They do not offer either a SPI-type firewall or an Intrusion Prevention System function. If either of these features are important to you, then you should look at another manufacturer's solution that do.

I stopped using a Netgear wireless router which had a hardwall firewall in the form of SPI. It slowed my connection, was vulnerable to DOS attacks and what security it added was not necessary.

WPA2, NAT and the OS X software firewall on your Mac are sufficient for consumer users. Why would you be targeted by someone capable of breaching all that when there numerous individuals using wireless networks with no or insufficient security?

Which solutions would be affordable improvements on the basic AE port-forwarding?

I was thinking that several more intelligent firewalls would be able to handle DOS-attacks, etc. So, what would my most affordable option be if I am serious/paranoid about security?

And does the AE accept source routed packets? That would be another reason to have a separate firewall, I guess.

I am moving form a linksys DSL setup to a cable-modem based pure airport extreme setup. And on my LAN there are a few Macs (with firewalls turned on) but also some machines linke bluray players, personal video recorders etc, which all have some sort of basic OS (often Linux) running which I do not trust at all in terms of protection settings and often run old (and thus vulnerable) versions of the core Linux OS. So, I am interested in a decent firewall before or after the NAT of the AE.