I know we have left a lot of readers of this thread in the dust on the subject of port forwarding, so here is some background I hope you can grok:
When two computers talk, one has to go first. We say that one has an outbound connection and the other has an inbound connection. Outbound is less sensitive than inbound to security issues because it's relatively harder to do bad things to the sender than it is the receiver. That's because a lot of the attacks depend on sending things the receiver doesn't expect (such as a huge message when the receiver is expecting a small one), and in order to receive, you have to allow packets (the unit of transfer on the Internet) to enter your network from anyone, at least until you figure out who they are. The sender controls what it sends, so it's less likely to leak sensitive data. Note, however, that it's only relatively more secure, and the differences are getting smaller all the time. For example, nearly all interactions involve a request and a response. The request is outbound, but the response is inbound, so the advantages of sending quickly disappear if the server has to send you a response, and you have to receive it.
Sending a packet is accomplished by the network, and it starts with the "IP Address". IP=Internet Protocol. The IP address, however, is the address of a specific computer, and the network endeavors to deliver a packet to that computer. But, there are almost always multiple programs, or at least multiple components of a program running on any one computer and the network mechanisms need to be able to keep more than one interaction going to a specific computer. To do so, there is a thing called a "port", which is a number from 0-65534 (2^16-1). The COMBINATION of an IP Address and a port is a specific connection between two pieces of software, one one either side of the network. The packet has, in a header in the beginning of the packet, the IP address and port of both the sender and the recipient. The Internet "routes" the packet to the right computer based on the IP address of the recipient in the packet. Once the computer gets a packet, it knows which program, or which part of a program, gets the packet based on the port number.
But, you say, my home network has more than one computer and I know I only have one IP address for my home. True. IP Addresses used to all be 32 bits long, meaning we could handle 2^32 different computers, and if you look that up, it's a pretty big number. Turns out, it's not big enough. One reason is, there are a heck of a lot of computers, especially when we count things like an APEX controller as a computer. Another reason is that the allocation of IP Addresses isn't optimal and we waste some of the addresses. There are two solutions to that. One is to make IP addresses bigger, and we're doing that. It turns out that there are versions of Internet Protocol, and the one with 32 bits of address is version 4 (IPv4). There is an IPv6 (don't ask what happened to version 5), and IPv6 uses 128 bit addresses, and that actually is enough to give every device a unique address, at least for the foreseeable future. More and more systems are switching to IPv6. For example, newer cell phones use it. But lots of home devices are still stuck on IPv4.
So, there is a piece of cleverness (or stupidity, depends on your point of view) called a "Network Address Translator" or NAT. It takes advantage of that port number thingy. If every connection on the Internet has both an address and a port, then as long as every connection to your home network uses a different port, they can use the same address, at least from outside your home network. So, what happens is that all the computers and devices inside your home network are assigned an IP address that is only used inside your home network, and in fact lots of computers on different home networks have the same IP address. Then your Internet Service Provider (your telco or cable company for example) assigns you ONE real IP address (IPv4 address that is) and the NAT translates from a port and an an IP address inside your home network to the single unique IPv4 address assigned your home network by your ISP and a unique port number (unique from all other connections to your home network). That translation happens on every packet going into or out of your home network. Network Address Translator, get it?
So, to make it more secure, that NAT thing won't allow a connection to start if the first packet is from outside the network. It looks at packets starting from inside the network and if it doesn't recognize the address and port of the destination (and the destination is outside the home network), it considers that the start of a new connection. It picks a new, unique port, and assigns that to the new connection and rewrites the header of the packet so the sender part of the header contains the single IP address assigned by the ISP to your home network, and the unique port number. If a packet arrives from outside the network, the NAT looks to see if the destination is one of the ports it assigned to a connection, and if the source address is the right source address for that connection. If it matches, then the NAT accepts the packet, rewrites the recipient part of the header to have the internal address of the computer inside the home network and the port that computer assigned for this connection. We say that the NAT constructs a "pinhole firewall opening" that only allows packets from a specific computer outside the network, from a specific port, to a specific computer inside the network to a specific port. And, it will not create a new connection if the first packet for that new connection comes from outside the network.
Sometimes, someone decides that this restriction just won't do. Many routers have a way to bypass the restriction, but in a way that doesn't just allow any computer outside the network to contact any computer inside the network. Instead, the router can be configured to allow a connection to start from the outside of the network if, and only if, it's directed to a specific, pre-defined port. If the router receives a packet directed to it, that targets that port, not part of an existing connection, it will forward it to a specific, configured computer, to that specific, configured port and create a new connection for the NAT based on that packet. Port Forwarding, get it?
But in order to use that setup, you have to know lots of stuff, like what the addresses of the computer that gets the port forwarding, and what the port is. Every router has a different user interface to set port forwarding up. And, so, we generally think it's a bad idea to use port forwarding.
The thing is that how NATs work is known widely, and it's pretty trivial to forge addresses of the sender of a packet, so there are lots of known ways to get around the supposed security of these mechanisms. They are not worthless, but they aren't really very good. So saying you don't need port forwarding is mostly a "you don't need to figure out how to configure port forwarding", rather than actually getting you significantly better security.
The way (really, the only way we know now) to get real security is to:
1. Know, for sure, who you are talking to (authentication)
2. Encrypt all data (privacy)
3. Make sure that no 'man in the middle' has modified or substituted any of the packets sent or received (integrity protection).
Transport Layer Security (TLS), formerly known as "Secure Sockets Protocol" (SSL) does all that. It's secure if implemented correctly. All the firewall stuff is bandaids and wishful thinking, with a very small amount of security substance. It's not clear any firewalls provide real security any more.
Hope this was helpful.