I don't believe that many networking people believe "Firewalls are evil." Now, *stupid*
firewalls are evil: I'm tired of running into routes that blindly drop ECN or TCP windows
because they are mangling packets for "security."
NAT *is* evil and should die. It's a hack. The security you like about "NAT" is the
anonymity and rejecting unrequested incoming packets. The semi-random anonymous IPv6 IPs that
Microsoft and others have adopted provide the same anonymity benefits and the "security"
provided by NAT is nothing more than stateful firewalling. NAT did force home
gateway/firewall vendors to provide stateful firewall because many-to-one NAT cannot be done
without it, but in NAT itself there's no security there.
Using "NAT" for security is also a misuse of terms. NAT does include many to one, but it also
includes one to many, many to many, and even IP to IP, port to port translation so that
192.168.1.1:25 connects to 192.168.2.1:25 without blocking any packets at all. There's no
security in such a mapping even though it is NAT all the way.