The host OS firewall will only block access to ports on specific interfaces it knows about (en0, en1, etc.) It generally does not try to block access to VMware's network interfaces (vmnet0, vmnet1, etc.), which are how VMs communicate with the host and elsewhere.
Technically you could configure the host firewall to block those as well, but it's not tested and might not work.
It would probably be more efficient for the guest to access the host via its gateway address than the external address, because then it wouldn't have to go through NAT to get to the host.
