Yes, Mac OS's built-in firewall does offer protection. However, a router at the Internet gateway offers an additional layer of protection, especially since most routers are incapable of offering most services (e.g. ftp).

If one does expose a computer as a DMZ host, the safest thing to do is to offer only those services that are absolutely necessary. Below, I see some people suggesting port-forwarding. This is a solution only when one is offering between one and ten services. If you are hosting, for example, AFP, BitTorrent, DNS, HTTP, HTTPS, POP, POP SSL, SSH, SMTP, VNC--you quickly run out of port-forwarding ranges and you don't necessarily want to turn your DMZ on and off.

Or, if your port-fowarding slots are mostly full and you want to log on to World of Warcraft for an hour or two and don't want to change your port-forwarding settings, a quick cmd-Tab to Terminal and a few keystrokes will set you up with the script detailed in this hint.

Routers do offer an additional layer of protection, but that protection comes at the price of convenience.