That seems like a good idea and it is.
What if the response doesn't come back on the same PORT as it originated on? Then NAT Port Address Translation (PAT) won't let it through.
How does NAT PAT know what to do?
That's when Application Layer Gateways (ALGs) come into play.
[ALG] allows customized NAT traversal filters to be plugged into the gateway to support address and port translation for certain application layer ... protocols ...
In Security Now Episode 792, Steve Gibson explains:
The problem is that Application Layer Gateways attempt to be completely transparent to the application protocols they’re proxying for. They’re sitting there in our routers, enabled by default, hidden, powerful, and automatic.
So you say that YOU don't have any of these? Think again.
Here's what my router has:
Even deep in the bowels of a really good router, this is described only as "Enable NAT Passthrough to allow a Virtual Private Network (VPN) connection to pass through the router to the network clients."
Fooled you, didn't it?
Look at that list of applications that are allowed to "tweak" the router so that traffic to different incoming ports is allowed.
Back to Security Now Episode 792, Steve Gibson related that he had gone through and judiciously turned these to "Disable." But then his Verizon femtocell wouldn't work. It needed IPSec.
More in Part III.