Comment by Latty
2 hours ago
Except in the real world everyone is also running UPnP, so NAT is also one misconfiguration away from exposing something publicly. In the real world your ISP might enable IPv6 one day and suddenly you do have a public address. Relying on NAT is a bad idea because it's less explicit, a firewall is saying you only want to allow these things through, of course nothing is perfect, you can mess up, but NAT is just less clear, the expectation is not "nothing behind NAT should ever be exposed", it's "we don't have enough addresses and need to share".
UPnP is not tied to NAT, where do you have this from? UPnP is used to request direct connections, a firewall can implement UPnP just as well as a NAT.
It's not "relying on NAT" to have it as a layer in the swiss cheese. Relying on any one thing is a bad strategy.
>Except in the real world everyone is also running UPnP
Definitely not. I've been disabling that for years.
No, not everyone is running UPnP. Maybe on most home networks, but that’s not the audience that even knows or cares about NAT.