If configured correctly, sure, that's why I use one. I also realize that most random people don't have the technical savy to configure one to be anything other than effectively a NAT gateway.
The fact that something else can also provide that security benefit in no way means that NAT doesn't provide some security benefit. It does.
Now you're moving the goalposts, though. Saying that the network shouldn't play a role in security is totally different than saying that it currently plays none.
I find it really hard to understand this obsession with pining for a world where security doesn't need to exist. It does, and it always will. Design around that, it's not hard.
> pining for a world where security doesn't need to exist
Nobody is doing that. We're "pining" for a world where our devices can have direct phone numbers instead of having to share a party line. Unfortunately, some people keep insisting that requiring households, businesses, or larger groups of people (i.e. CGNAT) to share a single phone number keeps everyone safer because it keeps most people from being able to receive incoming calls.
See my other post[1] for the technical reasons NAT doesn't actually provide security. TL;DR - this is a problem of definitions and a common misunderstanding about how NAT/routing works.
In the telephone analogy, I'm trying to say that you phone lines sh0uld have their own individual telephone numbers, because you might need them some day. Not having the ability to receive incoming calls will eventually limit you in important ways. "But incoming calls can be dangerous! Why are you trying to making us less secure?" We're not increase your options, which doesn't affect your security. Since incoming calls are dangerous, just disable your ringer or use a firewall that simply blocs all incoming calls.
> See my other post[1] for the technical reasons NAT doesn't actually provide security.
You're just as wrong now as you were then, see my up-thread post to correct your misunderstanding about security.
Edit: either direct addressing isn't possible with NAT, which provides security benefits, or it is possible, which means your complaint is mis-placed. It cannot simultaneously prevent direct addressing and provide literally no security benefit.
Configuring a firewall correctly is much easier than configuring NAT correctly:
Block all incoming connections by default. Have your apps/OSes on firewalled machines prompt users to allow incoming connections, and use uPnP to talk to the firewall to open the port.
With NAT, you additionally have to deal with port renumbering (what if more than one host wants to run web servers, or ssh, or VNC, etc). And because the ports are a shared resource between all hosts, you may not allow uPnP so hosts can't fight over forwarding rules.
No, it would be straightforward for a worm to figure out what internal network addresses they were using, what routers there were behind, and send packets to those routers whose destinations were those internal network addresses (192.168.1.2 or whatever). NAT does nothing to stop that.
Most routers won't forward those packets. But that's got nothing to do with whether those routers are running NAT or not.
