One advantage of IPv4 NAT is it makes a pretty effective inbound firewall. Unless the communication starts from inside the firewall (or is explictly opened via configuration or UPnP) packets from the outside (Internet) are dropped. But it does nothing for outbound communications. So once something gets inside the firewall, it can open connections to the outside world or open ports via UPnP.

The idea I have is to make the outbound communication dependent on DNS. So connecting 74.50.103.224 tcp/80 would fail unless the computer had first done a DNS lookup for www.atariage.com. This would prevent malware from connecting to unlisted C+C servers by IP address and allow connections to be logged by destination name along with whitelisting & blacklisting destinations by hostname / domain.

Of course, as any programmer knows, there's a big gap between idea and implementation. The question is whether I want to sink the time & effort to figure out how to do it (likely using something like BIND & PF on OpenBSD).