Does UPnP add dynamic firewall rules, or just NAT? I’m only seeing it add NAT rules, but no filter rules.
No, only NAT rules
In 6.22 you can add a rule to your forward chain to accept packets which have been DSTNATed
In previous versions you could allow all forward traffic coming from your WAN interface destined for your LAN IPs, but then you’re relying in your ISP not routing anything RFC1918 accidentally/maliciously to you to keep your network secure, which should be fine most of the time but is a bad practice.