[zurn]

You have that backwards! NATs are tasked to facilitate communications (same as routers).

Yes, firewalls can be configured to restrict communications. And you can have a combined NAT+firewall that is so configured.

Just likes routers vs firewalls. Routers forward packets as well as they know how, firewalls selectively drop them, router-FW combos can configured either way.

Reliance on restrictive centralized firewalls is a pretty 1990s mindset, and doesn't lead to good security outcomes in the current world where users constantly suffle devices between networks, and vpn in to your network, etc. You just end up making your internal network unusable for production work.

[MichaelGG]

That's an interesting viewpoint and would go against practically everyone's (except the IETF's) expectation for the NAT to provide a default firewall-esque policy.

I suppose if you view NAT to "facilitate communications" then mapping a port for all inbound IPs instead of symmetric makes sense.

[zurn]

In my experience people behind NAT very much like Skype, games, WebRTC, file sharing etc to work. They're usually not very knowledgeable about firewalls but most often used host-based firewalls. Which is good since they're generally much more easier to configure according to your app needs.