All modern routers used in home networks do NAT by default. There are several unroutable IP ranges that they can use, although most will have IP addresses in the 192.168.*.* range for the local network.
All routers for home networks also have a built-in and inward-facing web server for configuration and status information, which you generally approach by typing “http://192.168.0.1/” or something similar into your web browser’s address bar ─ some use https instead of http.
ufw is a firewall. It blocks ports and/or IP ranges. NAT does not block ports or IP ranges ─ albeit that most routers do have a built-in firewall that you can activate via the web interface.
NAT takes traffic from any machine on your internal network that is intended for the internet, and then makes it appear to whatever server you’re connecting as if the traffic originates from the router’s public IP address. It then receives the reply and forwards it to the local machine that initiated the connection.
At no point will the external server on the internet know which local machine made the request, nor what subnet it is on, and even if it did, it wouldn’t be able to reach that machine, given that the subnet is unroutable. By this I mean that the IP address range used on your local network is not unique, just as that the IP address 127.0.0.1 will always point at the computer itself, on every computer, regardless of what operating system it uses.
Basically yes (at least for IPv4).
Your local network addresses are not publicly/internet routable.
You router get’s a public IP-Address from your ISP (which is routable) and translates the internal addresses to the external one so that the packages originating from your local devices can be routed through to the destination (website for example).
With IPv6 it is different though, each of your home network devices usually gets a publicly routable address and NAT is not required.
NAT can work as a “light firewall” in the sense that is not going to accept random connections from the external network to the internal network. Connection must be started from the internal network to accept an answer from the exterior. This is like a side effect of how NAT works.
But NAT is not a firewall solution. Firewall usually does more than that and actively monitor connections regardless on where they were initiated. Also usually firewall has more parameters on what connection accept or deny.
Only if you’re on WiFi. You have to let go of your Windows habits and beliefs.
GNU/Linux is an entirely different type of operating system, and it does not have the same vulnerabilities that Microsoft Windows has, nor does it “phone home”. In a UNIX-family operating system, all ports are closed by default unless you’ve got something listening on them.
And even then still, the NAT layer will prevent incoming connections to any of the local machines unless the local machine was the initiator of the connection.
So, say that someone from the internet were to try and ssh into your GNU/Linux box ─ provided that you’ve got sshd running ─ then they would be trying to initiate a connection on port 22 of your router, but that does not mean that the router would automatically forward that request to your GNU/Linux machine, unless you yourself have set up port forwarding on the router for that particular port and that particular machine. The router would instead just consider it an attempt to connect to its own port 22 and would silently drop that request.
Only if I’m on WiFi whose router is not in my home? If there is a router in my home for which I own the password and to which I can connect via WiFi (and via a LAN cable), that doesn’t count as risky business?
Actually all ports are “open” by default unless you use some sort of firewall. But yeah, does not matter if you don’t have any programs listening on some port on your network adapter.
I would actually almost always recommend to have some firewall solution installed and enabled (blocking all incoming traffic by default) on the end device as well. At least that will give some additional protection for example in cases where some other device (smartphone, IOT device, other PC) in your network is compromised.