If you have a UPnP capable router, it does allow apps behind the firewall to switch on forwarding for ports they need. It's often even enabled by default: There was some exploit recently that used that mechanism.

See: http://en.wikipedia.org/wiki/Universal_Plug_and_Play#NAT_tra...