Comment by Dagger2

There's no inherent ACL in NAT, and adding one would just demonstrate that ACLs can block packets, which we already knew.

> What you’re describing would happen if NAT were completely disabled. You’re just describing an open router

Yep. It also happens when NAT is enabled. A router doing NAT is exactly the same thing as an open router -- it just has the additional property of editing outbound connections to appear to come from the IP of the router itself.

If NAT on its own blocked inbound connections, I would have seen that in my tests.