Comment by Sophira
4 days ago
> if the firewall is misconfigued, then your NAT may not be working either.
But in that case, it's very obvious because your access to the WAN side of your router won't work from anywhere except the router itself.
I like this "fail-secure" nature of NAT. If your firewall fails on a network with globally-routable IPv6 addresses, it might not be so obvious as traffic might still flow through.
It provides no security by itself. There have been (and still are) countless vulnerable Internet reachable NAT routers which can easily be exploited to provide access to the whole private network behind it. NAT by itself can't be relied on to provide any security – you need correctly configured firewalls for that. An ISP provider might provide a sensibly configured firewall with the home router, but they may also be operating an easily exploitable backdoor into your private network.
Practically speaking, even without any firewall, NAT provides some level of security. If I can't route to your network, I can't access it. Yes, theoretically someone may establish a route to an RFC-1918 address block across the Internet or within your ISP, but doing so without ISP cooperation is unlikely. To say it is "easily" exploitable is an over-exaggeration.