Re: "Let's use a firewall"
"The issue with a firewall is it requires network skills to be properly configured. NAT implies a simple "all inbound connections denied" default rule"
I think the issue is, that you have only ever used domestic / SOHO routers that appear to have merged the NAT and firewall functionality together, blinding you to the fact that they are 2 separate functions. You are blindly trusting the manufacturers of these devices to have made this choice for you and that it works in the manner you believe. Here's the eye opener for you, you are wrong. Many of the SOHO / domestic routers look like they work how you believe, but in reality they have fudged the interface to give you that impression. Have a dig down in the advanced settings, there you will see that the default settings are not configured as you believe (sometimes you have to enter the CLI), and that you have to do do some tinkering to make your network as secure as you think it is now.
TLDR: SOHO / domestic router manufacturers have lulled you into a false sense of security by hiding technical stuff.
Biting the hand that feeds IT
