The thing is that the rule which you quote and on which you base your whole argument: “don’t loose network traffic” seems to me rather arbitrary.
I’ve been studying networking for more than a year now in the Cisco Networking Academy and the only reason why I’m mentioning this fact, is to reinforce that I’ve never heard of it or seen it mentioned anywhere, neither when I was going through the basics of networking nor later in the more advanced courses. And believe me I’ve read a lot of “thumb rules” so far.
In fact you’d be amazed how many techniques are being used on a daily basis by network admins to do just that; discard unwanted traffic in order to save network bandwidth and prevent congestion. Mind you I didn’t say illegitimate traffic, just unwanted.
Just a couple of random examples which come to mind now are: “black hole routing”, Qos, CIR in Frame Relay, etc.
There can’t be **legitimate **incoming traffic into a private LAN that a network administrator is NOT aware of, to begin with. There shouldn’t be any of that, and no network admin will agree with you on the contrary.
OTOH any legitimate traffic will already have mappings configured.
As I said above, NAT was found to be possible to get around by hackers, therefore it’s not regarded as a sufficient security measure in itself; that’s why you need a firewall on the router. For solid protection.
The fact that incoming packets are dropped is not an “intended security” feature of NAT, just a collateral effect of the way it works. There is a lot of documentation on the Internet which supports what I say but just take a look at this document (see the Security and Administration section) for a clear sample.
I’ve configured from scratch several times, in the labs, enterprise routers with all types of NAT: static, dynamic and overload/PAT/NAPT (the flavor which is found on SOHO routers) and neither dynamic nor overload allows by default incoming connections without having static mappings or port triggering commands in place, additionally to the NAT configuration commands. Only static NAT does that, for reasons which I trust are obvious.
Neither have I encountered a SOHO router which behaves as you say, and I remember banging my head pretty heavily in this exact issue in the days when I was just as “green” as the next noob at understanding how this works. Even though I disabled the firewall on the router I never got incoming connections to actually reach my PC until I learned to create port mappings. And that on several occasions and models.
We can keep philosophizing for as long as you wish about this.
I’m sure each party would summon up new arguments to support its position.
But you can simply do a test and see for yourself how the device really behaves; that’s worth a thousand words.
I don’t entirely refute the idea that there might be some device model out there which may do what you say, but again: it would be an oddball, not the garden-variety NAT router even on the SOHO market.
Please, do not think that I got into this argument just for the sake of it.
It was just that I got the feeling we (the mods) were sending mixed messages towards users on this topic on several occasions. So I just meant to highlight this particularity of how NAT works by default.