> But anybody clear understand that if your internal hosts do not have
> a public address then all attacks may be only static - wait until
> internal host open TCP to somewhere.
This is a naive understanding. Source-routing would let me get
packets through to an internal address unless your NAT also acts as a
firewall.
(Granted, I think it turns out that pretty much all NATs do this kind
of firewalling in all cases. But there's no reason why a firewall
allowing only outgoing connections should be any more error-prone than
a NAT gateway.)