- Did you disable UPnP on your router? If not, any device behind the router can simply ask the router to open a port, typically without authentication, bypassing this "firewall" completely.

- TURN and STUN trivially bypass this side-effect, and a side effect of that is a third party has to often be involved, which can be collecting data later leaked or used against you.

- The monstrosity of NAT is that it's the core thing that drives centralization - because of NAT any two Internet hosts generally have to involve a third party to communicate, a third party which again, can be collecting data later leaked or used against you.

If you don't care about the security implications of the above, then you don't really care about the "firewall" either.

That third party involved is my ISP which will see the packets anyway, even if NAT is not used.

And the attacks you mentioned are initiated from the inside. Not what I stated, that NAT is a sort of a firewall for incoming connections.

> That third party involved is my ISP which will see the packets anyway, even if NAT is not used.

The ISP doesn't meaningfully see packets as long as encryption is used. It sees stuff that if analyzes can be used to make guesses, but that's about it. I probably should have used a better term than "third party" but I was meaning services that collect data on everyone like Facebook, Twitter, etc. These services actually receive meaningful, trackable, surveillable data about you and they would not have to receive as much if NAT wasn't a thing.

Inside attacks are important. If you don't care about those, saying you like NAT because of any security benefit doesn't make sense.

I've yet to see UPnP work...

I was surprised as well as it's something I turn off on devices I control and I haven't really assumed it was a thing. But recently at a friends house I decided to install upnpc on my Linux laptop and give this a try:

| upnpc -a 192.x.x.x 8080 80 tcp

And to my surprise it just worked. This friend just upgraded to fiber and had just received a new router.

IPv6 routers use a stateful firewall just like NAT includes. Just without the problems of NAT.

As a bonus, because most (nearly all?) SOHO IPv6 routers are Linux under the hood, they are also capable of IPv6 NAT.

I doubt that most consumer routers expose this functionality. IPv6 NAT is rarely needed and should be avoided. Interestingly enough I stumbled upon a use case today. No IPv6 connectivity at my office but at my dad's house. Since a WireGuard tunnel is layer 3 I can't use router advertisements and the prefix is dynamic, so private IPv6 addresses and NAT66 it is. It was an exercise out of curiosity though, route64.org works much better for IPv6 connectivity.

No, it does not. Always use a firewall if you need a firewall. NAT is not a replacement for it.

You just have outbound NAT enabled, so that your internal nodes can access the internet, no mapping to any internal nodes is set from the outside and no firewall. (just NAT alone) So all packets to your router's address will terminate at the router. Right?

OK, let's say I send a packet to your router's external interface with destination IP set to internal address of one of nodes in your network.

Will it reach your internal host? Will I get a response? ;-) I hope you now appreciate how NAT is not a firewall at all.

NAT has the side-effect of working as a shower curtain. It will mostly keep light drops of water out, but will not stand up to a fire.

Having one and a half firewalls doing overlapping work and making things more complicated is not what I call nice.