That is what I was saying.
O.K. Well, maybe we should better stop as I think we both understand what it's all about. In my argument I seperated between NAT, routers and firewalls. NAT does not keep traffic inside the network, it is the router running. Any router does. Even a normal switch should do that nowadays as it only forwards the traffics to the intendend ports. A firewall or better a packet filter in your up-link does the filtering if you want to be sure. NAT deals with a completely different aspect.
Anyway, I agree with you that in general a NAT device is extremely helpful for the fully ignorant user.
My problem with your arguments is that you never properly define what you mean with. NAT, router, firewall, packet-filters are different concepts. You seem to imply a certain set of functionality that you see in devices you use. NAT does not have anything to packet filters. But I suppose most available Linksys, Netgear, etc. consumer network routers do have packet filters and NAT.
Again, it is not silly. You consider someone you is ignorant and won't get anything right. If you use a proper firewall and set it up properly it does the full job and more and 100% reliable and secure instead of maybe even 99% secure. You find this setup in many companies and universities and it works perfectly fine.
I challenge you: none of these compromises would have been avoided with NAT. If the compromise was related to a misconfiguration in the firewall than this would have happened as well on a NAT router. If the company wanted to make a service available and opened an incoming port, they would have done it on a NAT router, too. Their compromise is never the reason of their computer having a public or private IP address. The traffic was intended to come in, with firewall or NAT router. Unintended traffic won't come in with a firewall. It can - maybe only under statistically circumstances - come in with a NAT router.
I can show you firewall logs with exactly the same contents. Where is the difference? (BTW, my Linksys does not log it...)
Yes, they use private address schemes for places that they want completely seperated from the rest of the network. Traffic of these networks won't leave the network. That's impossible then. If you need connectivity outside you use fully filtering proxies for specific purposes.
If you put in your NAT device you open the door to the outside. The reason why most companies use private addresses is because public addresses are expensive. They buy the number of addresses they need and not a complete class A network to give all there devices an IP address.
Either way, all computers in your network have IP addresses and can communicate with the outside and in-coming communication is only allowed where you configure it.
Maybe we are talking about different things. But to me it seems as if you are comparing a private network behind a NAT router with a directly connected network without router/firewall in between. I never did this comparison.
All public servers of all companies are generally in public IP space. They are, however, behind a firewall that is configured only to let traffic for these servers in.
Put in a firewall. For the time being, use the built-in software firewall.