[general1465]

> Even a correctly-configured NAT will let connections in from outside, and a lot of people don't understand this.

Yes, that's called port forwarding and it is normal thing. You actually want that.

[Dagger2]

It will let them in without a port forward in place. The port forward just rewrites the IP on an incoming connection, nothing more.

[general1465]

If you can reuse opened connection, but that will work with firewall too.

[Dagger2]

You don't need any tricks like that. Regular new connections will work.

[general1465]

No it won't because that's not how NAT is working.

[Dagger2]

It will, and if you test it then it does.

NAT doesn't apply to inbound connections if you don't have a matching port forward rule, so it kind of doesn't matter how NAT works here. This is pure routing, not NAT.