> It's possible to do NAT without firewalling in netfilter.
That's not the claim I was making, which is that if you have netfilter/pf you are already using a device which ships a stateful firewall (and if you have NAT on a cheap home router you have netfilter/pf). This is in response to GP's claim there are cheap home routers which can NAT but not be configured as a stateful firewall, whereas your response seems to be more about how NAT can be configured.
Whether or not netfilter/pf is configured with NATs, port forwards, or block entries is a separate topic all together, somewhat split between vendor default config and what the user has changed. Regardless of what rules it's configured with at a given moment, netfilter/pf doesn't stop having the capabilities of a stateful firewall already bundled.
That's not the claim I was making, which is that if you have netfilter/pf you are already using a device which ships a stateful firewall (and if you have NAT on a cheap home router you have netfilter/pf). This is in response to GP's claim there are cheap home routers which can NAT but not be configured as a stateful firewall, whereas your response seems to be more about how NAT can be configured.
Whether or not netfilter/pf is configured with NATs, port forwards, or block entries is a separate topic all together, somewhat split between vendor default config and what the user has changed. Regardless of what rules it's configured with at a given moment, netfilter/pf doesn't stop having the capabilities of a stateful firewall already bundled.