[rnhmjoj]

I haven't mentioned the ISP level networking anywhere. The router provided by an ISP with native IPv6 to you (or any consumer router you can buy, for that matter) is using the exact same firewall with the same rules: they just don't do NAT because it's not needed anymore.

By this I mean that new WAN to LAN connections are blocked by default, LAN to WAN connections are allowed by default, ICMP is allowed etc. The only difference is that in IPv4 to "open a port" you have to:

1. map a LAN port/address to a WAN port using a DNAT destination rule

2. write a firewall rule to allow WAN traffic through that port

while in IPv6 you just do 2. Same result, same level of security, just less steps. These two steps are usually bundled into one operation in your familiar home router web UI, and this is why many confuse NAT with a firewall/some kind of security feature.