Absolutely correct. Real firewalls pass inbound traffic because a
state table entry exists. NATs do the same thing, with nasty
side-effects. There is no added security from the header-mangling.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb