Or use NAT, which is actually better solution, because misconfigured NAT won't expose your whole network, while misconfigured firewall will.

Well, actually it will. In fact, even correctly configured NAT won't stop connections into your network.

On top of that, it lulls you into a false sense of security, so you confidently think it's protecting you even when it isn't. At least not having NAT makes the actual state of your network clearer.

> even correctly configured NAT won't stop connections into your network.

Yeah that's called port forwarding. It is like complaining that light is coming into your house through windows. Fully intentional.

Port forwarding requires a port forward rule that matches the inbound connection. If there's no such rule... NAT won't stop the connection, it will just ignore it.

If no other aspect of your setup blocks the connection, it'll be successful. If you were deploying NAT because you thought it would function as a firewall then this part is probably not intentional.