I do know that it will prevent unsolicited traffic from the wan port into the lan section as long as the connection was not already open from the lan side.
This is not entirely correct, and is his entire point. Someone who is directly connected to the WAN of your router COULD access a port on the inside by manually supplying a route to your private network.
The security value of NAT is that WAN hosts do not generally have a way of routing traffic to your internal private subnet. However, if an attacker had control of every router between them and you, they could manually set up a route into your network.
In that sense he is correct: NAT doesnt provide any guarantees, because hypothetically a hacker could first hack your ISP, and set up static routes to your internal NATted network, and then directly access your internal network remotely.
The reason I continue to say it IS security is because NO security measures are absolute, and security is about layering to reduce risk. Taking the set of attackers from "Everyone on the internet" to some subset of that is an increase in security.
To demonstrate how this all works, lets use the following:
Your private network:
Computer: 192.168.50.5 (listening on port 80)
Router: 192.168.50.1
WAN:
Your router: 1.1.1.1
Your ISP's router: 1.1.1.2
My ISP's router: 9.9.9.2
My router: 9.9.9.1
If I wanted to access your computer, and you had no active connections, I would be unable to: your router would not automatically map any connections to 192.168.50.5, so any connections to 1.1.1.1 / port 80 would just get discarded with your router saying "WTF am I supposed to do with this?". However, if a packet arrived at your router addressed to 192.168.50.5 directly, your router would happily pass that packet on through.
The security here comes from the fact that if my router addresses a packet to 192.168.50.5, it will not know where to send it and will drop it. If I added a manual route to my router saying "packets to 192.168.50.5 go to 9.9.9.2", it will route it to my ISP's router-- who wont know where to send it, and will drop it (I believe it will send a "no route to host" ICMP message). Similarly, traceroute 192.168.50.5 will give "no route to host".
In order for me to break into your network, I would need to take control of both ISP routers (9.9.9.2 and 1.1.1.2), and add a manual route indicating how to route those packets (or modify the OSPF or BGP configuration to distribute those routes). The spec around private addressing in general is where the real security comes from, as it indicates that proper behavior is to not route packets addressed to a private RFC1918 address on the internet.
NAT isnt broken; it isnt designed as a security function, but as a way of stretching addresses. Its ability to hide network details is somewhat of a side effect of that, and that provides the security function-- but its much simpler to just set up a stateful firewall than to set up NAT if all you care about is security.
* RFC1918-- in case this term isnt clear, it refers to non-routable subnets which are not tracked by the public internet addressing authority (IANA). These subnets are what most consumer routers come preconfigured with:
+ 10.0.0.0 - 10.255.255.255 (10/8 prefix)
+ 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
+ 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)