Is it safe or dangerous to have an open NAT?
Why or why not
An open NAT means that there are one or more paths through the router to allow unsolicited incoming connections from the Internet to reach devices on the private network. These paths can either be defined for individual ports or groups of ports for various devices using port forwarding, or they can be for all ports on one device using DMZ. For such a connection to do anything, there has to be something in the device(s) that is listening to any of these ports and which will respond to an incoming connection attempt.
For forwarded ports, normally the device(s) to which the ports are forwarded will have specific server processes running that validate any requests coming in and action them appropriately. This is the case for games servers that you might be running for use by others over the Internet. Providing the server process does not respond inappropriately to an incoming request there is no danger. However, if a server process is infected with certain types of malware, or is specifically crafted to allow an attack, it might allow access to other parts of the computer.
A DMZ is more dangerous in that all ports on the target machine are accessible from the Internet. This could allow a hacker to exploit potential weaknesses in any software (including the operating system) that uses those ports.
The danger with either port forwarding or DMZ is that potentially it could allow an attack to reach that computer and from there open attacks to other computers on the private network.
For port forwarding with clean server software from a trusted software house, the risks are negligible. However, pirated software may already be infected with back door mechanisms that can be exploited.
The other factor is UPnP (Universal Plug and Play) port forwarding. If the router is UPnP enabled, then any malware that gets on to the computer could potentially open up a port from the Internet to allow an attack to reach the computer. If you do not need UPnP in the router, turn it off.
I hope this helps.
Yes, because it allows access multiple computers over one IP address. Anyone who can connect to your NAT can have your IP address.
In a word: Yes.
Think of it this way… do you leave the front door of your house open? Most people close it unless they need to use it!