[throw0101a]

> That's a non sequitur. I can have a both a firewall and a NAT. The two layers are better than one because at least my address is shouldn't be routable even if I failed to configure my firewall correctly.

You talk about NAT like it's a single thing: it is not. There are at least three major varieties of NAT:

* https://blog.ipspace.net/2011/12/is-nat-security-feature/

See also various 'cones' that add complexity to getting things to work (and for which kludges like ICE/TURN/etc had to be invented):

* https://en.wikipedia.org/wiki/Network_address_translation#Me...

See also RFC 4787 which distinguishes between NAT mapping and NAT filtering. Also, also see perhaps "NAT Traversal Mess":

* https://blog.ipspace.net/2025/04/response-nat-traversal/