Re: NAT and firewalling and stuff
OK, since you spoke so politely.
1. For NAT to perform two-way communications, it can do one of two things:
(a) the inside computer can initiate a connection to the outside. The NAT records this and maintains the relationship for as long as the connection is open. Once it closes, the relationship is removed. Now, this usually only works for stateful TCP-based connections (UDP doesn't work this way so requires something cleverer to deal with it) and only if the connection is initiated from the inside. Now, it works most of the time because most connections on the Internet are TCP-based and from the inside.
(b) A skilled user can tell the NAT to forward certain classes of incoming connections (like specific ports) to specific machines. This is the usual means for a home user to expose a server or similar thing (like a P2P unit) to the outside. Otherwise, the server has to rely on outside help, making a bridging connection to some point on the outside.
2. Going back to 1(a), since HTTP, POP3, etc. are all TCP-based (stateful) and initiated from the inside, NAT can maintain these connections.
3. Gamers have one of two options. They can either open ports (solution 2) or use solution 1 to establish a bridge connection to a point outside. Your friends link up there and the system then passes the connections along.
One of the arguments for using NAT is that it's a different kind of firewall operation: furthermore, it's one that (by design) has to block incoming connections by default, providing a line against automated attacks (targeted attacks can get around this by exploiting already-opened connections the way web exploits work). The counterargument is that in IPv6, this is little more or less than another firewall, and you can achieve the same function with a second (or better) firewall.
Furthermore, it's not NAT in general that's being frowned upon: it's one-to-many NAT they don't want (because the spirit of the Internet is that any connected device should be reachable by any other device if it wishes to). Especially at the ISP/carrier level, this makes many endpoint invisible by force. They have no problem at all with one-to-one NAT, and indeed many techniques brought forth to mask a subnet's map rely on things that are essentially one-to-one NAT. It's like with the UNIX philosophy: one fundamental assumption is that policing should be a program's (or in this case, device's) own responsibility. Trouble is, reality intrudes and you find misbehaving UNIX programs and badly-configured endpoint devices, so the NAT proponents at least have a point. What some are wondering, though, is if the "automatic" shielding can't be achieved simply by offering a firewall with something like a "drop incoming by default, allow outgoing by default" ruleset.