[AshamedCaptain]

No, it is not. NAT is not a firewall; its goal is to let traffic through, not prevent it. The fact that it sometimes happens to behave like a firewall is very dangerous since it leads people into a false sense of security.

I have early 2000s routers that would basically forward all UDP traffic from $IP to the last computer that had sent any traffic to $IP. This did wonders for most games, but you were in for a nasty surprise if you were relying on NAT to protect your fragile Win9x network...

[lelag]

If you follow Nintendo steps, what happens is that anybody will hit your Switch directly if they connect to any port on your public IP. If some services on the Switch are running and listening on the Switch public interface, they will answer. If one of the those service has a security vulnerability, you are in trouble. You just don't want to expose your entertainment devices to the whole world like this.

This setup could make some sense for a DMZ but not a gaming console connected to your local lan.

[AshamedCaptain]

This is exactly why I say that NAT gives a false sense of security.

The point is that even without manual port forwarding your Switch is _already_ exposed to the public internet. You can't assume that NAT is going to forever hide your device from the public internet because the role of NAT is to pass traffic, not prevent it. The example I mentioned is to show that NAT's heuristics may end up exposing your device anyway, manual port forwarding or not. So if you really run a device with vulnerable services, you either add a real firewall or disable NAT.

If the Switch had any vulnerable ports, they were exposed already long ago. Not to mention: IPv6 networks, public Wi-Fi hotspots, etc.

[lelag]

OK, I get what you meant.

But still, I'm pretty sure we can all agree that Nintendo is giving a terrible advice for the sake of simplicity.

[syshum]

Security is an Onion, built on layers.

Should NAT be the only layer, no. But I absolutely can be a layer, just like obfuscation can be a layer.

for example Changing ssh port from 22 to something else is not "security" per say, but it can prevent drive buys and general non-targeted events.