Configuring a firewall correctly is much easier than configuring NAT correctly:
Block all incoming connections by default. Have your apps/OSes on firewalled machines prompt users to allow incoming connections, and use uPnP to talk to the firewall to open the port.
With NAT, you additionally have to deal with port renumbering (what if more than one host wants to run web servers, or ssh, or VNC, etc). And because the ports are a shared resource between all hosts, you may not allow uPnP so hosts can't fight over forwarding rules.
Block all incoming connections by default. Have your apps/OSes on firewalled machines prompt users to allow incoming connections, and use uPnP to talk to the firewall to open the port.
With NAT, you additionally have to deal with port renumbering (what if more than one host wants to run web servers, or ssh, or VNC, etc). And because the ports are a shared resource between all hosts, you may not allow uPnP so hosts can't fight over forwarding rules.