Comment by tbrownaw

> And indeed, if a firewall is off NAT can still function (if NAT is separate).

Well technically you can translate your /16 to look like a different /16 from the outside. IE each internal address gets turned into its own separate external address.

But that's not how NAT gets used in practice. How it actually gets used is to but many hidden addresses behind one or a few public addresses. And that multiplexing necessarily implies that incoming connections must be specifically told where to go; ie that there's a firewall.