You are absolutely correct...NAT is NOT a firewall. But like I said...the firewall will filter traffic to the proxy...and has nothing to do with NAT.

Or for example...a Cisco ACL would look something like this:

router(config)#access-list 100 deny any any eq any

Which would be applied inbound on the outside interface.

And inbound on the inside interface you might have something like this:

router(config)#access-list 101 permit <proxy IP> any eq HTTP
router(config)#access-list 101 permit <proxy IP> any eq HTTPS
router(config)#access-list 101 permit <proxy IP> any eq FTP
router(config)#access-list 101 deny any any