Even with 1:1 NAT, the firewall doesn't allow ports 0-65535 through right? It only forwards those ports through NAT?
Yes. That's true.
Even if you 1:1 NAT and you dont create a firewallrule that allows traffic, it will be blocked by the firewall.
I might have exaggerated with saying you expose ports to the internet with 1:1 NAT.
You have seperate rulesets for the Firewall and NAT.
But it's still a better approach to have 2 ways of security.
1: the firewall
2: no defined destination for inbound unwanted traffic.