Comment by twic

A true firewall and a NAT-as-firewall are sort of duals of one another. A true firewall sits on a path that would normally let packets pass, and it stops them. A NAT-as-firewall sits on a path that would normally not let packets pass (because the private side is some unroutable, private, 10.* network), and it helps them through.

As an admin, NAT-as-firewall feels reassuring, because it seems less likely to fail in a dangerous direction. If i screw up my iptables configuration, i might drop my firewall, but i am very unlikely to create a new NATted path into my private network.