Even without NAT I don't necessarily want any old program to be immediately immediately reachable from the outside, so I still want a default-deny inbound firewall, and as long as it happens under your control, there's not much of a difference between having to configure my router's NAT and having to configure its firewall (in the case of my home router it's literally the same settings page). I.e. no big deal for me, and still a bit of a struggle for non-techies (but with sufficient motivation some will still manage it).
(And if you want something like UPnP to let programs automatically punch holes themselves anyway, again it doesn't matter much whether we're talking about NAT or "just" a plain firewall.)
The true evilness of NAT only really comes in when it's done by some third party outside of your control (CGNAT and friends), but I think that compared to home routers doing NAT the latter is a slightly more recent phenomenon that only got widespread traction when the IPv4 shortage became more acute.
Are you referring to port forwarding? This can work around only a small part of the stuff NAT breaks, and even for those it covers it's a major barrier to application adoption. A new application relying network effects needs to work for the vast majority of users to be able to take off. If you prevent 30-50% of users adopting it, it's not going to take off for example in gaming or communications / sharing apps.
For example port forwarding dosn't help evolution of new internet protocols. Iit prevents replacing TCP with SCTP due to this, or deployment end-to-end IP level encryption (like IPSEC attempted). Or a myriad of other decentralized or security enhancing inventions that depended on the end-to-end nature of the internet architecture that now have never gotten off the drawing board because they are not NAT-compatible.
(And of course the majority of users behind NAT are in fact behind third party controlled NATs)
Well yes, NAT might pose some additional constraints, but my main line of argument is that even in an alternative timeline where we never had the IPv4 address shortage and therefore no pressure to develop NAT because every device can be assigned its own address just as is possible now with IPv6, we might still have ended up with default-deny-inbound firewalls for home networks anyway, because it might have turned out that letting random programs run world-accessible serves on random computers without any special user authorisation isn't such a good idea.
IPv6 doesn't require NAT, but my bog standard home router still firewalls it, and I need to manually allow inbound connections (or give up and just use UPnP).
Yes. Default-deny-inbound firewalls are much better than NAT because they are meant to provide security, can be managed (the "default"), and don't prevent deployment of new protocols. Also we might have a standard way to manage the firewall policy in this alternative future (upnp was done outside the IETF, and is a tire fire, because IETF rejected NAT).
But also the whole posture of a home network and consumer os might have been different without NAT, maybe the host based firewall would have won out, who knows. In the alternative universes we can't assume other things remain the same.
I do not want my home computer to be exposed to the Internet. I do not want your fancy new Internet apps, the existing ones with explicit user-initiated connectivity are more than enough for 99% of people.
And even if you somehow have a non-NAT, non-CGNAT, no-ISP-filtering home connection, do you have full Internet access if the server behind NowhereNews.com refuses all your connections because you’re in Europe?
You probably know this but NAT is not the same thing as a firewall. You can have one without the other or both. Just because your machine is addressable doesn’t mean it is accessible. You can have machines on your home LAN that have public IP addresses but are not publicly accessible. NAT exists because historically ISPs didn’t give out blocks of public IP addresses, and now that they are running out of them, they are expensive. It’s not really a security measure.
Yeah, I know, but NAT’s side effect of preventing all sorts of remote access is quite convenient, I don’t have to trust the cheap router or cheap internet of shit device to do the right thing firewall-wise.
This is a non sequitur. Your home computer being "exposed to the internet" is orthogonal. And of course this is now enough for 99% of people because said new apps are prevented from coming into existence.
