I'm not aware of even a single consumer-marketed router that ships without a firewall (often ip/nftables) configured to drop all unsolicited incoming packets by default. If an attacker can create outbound connections from inside the network then they can get around this of course, but you have to already be inside.
