[throw0101c]

> I was shocked to see that as soon as your ISP switched to IPV6, your host is now directly addressed. As a by product of skipping NAT you are now relying on every machine having proper firewall settings.

When my ISP started handing out IPv6 addresses, my Asus RT-AC68U by default blocked incoming IPv6 connections unless they were replies to previous outgoing connections.

That is to say: stateful firewalls exist in the IPv6 world just like they do in the IPv4 work.

Just because your laptop or desktop gets a globally routable address does not mean that anyone can hit it.

[yonz]

Thanks for sharing that, good data point for drop incoming.

I had a nighthawk, I ended up setting up the ipv6 rules.

The TLDR on the debate so far is if router shipped over the last 20 years have both drop IPV4 and drop IPV6 incoming.

In my opinion, NAT was an added layer on top of firewall rules because inbound ports had to be mapped to a particular host and port since the router would not know which host to send to. This created a default opt out experience because for a port on your machine to get accessed, a packet must pass inbound rules and match a port map table entry.

[throw0101c]

> In my opinion, NAT was an added layer on top of firewall rules because […]

… there were not enough IPv4 addresses to go around, and so you only got one, and if you had more than one system at home, too bad… until NAT got invented.

Back in the dial-up days, you had only one system connected to the Internet—the one that was connected to the modem—and it got the the IP address directly. It was only later with the always-on nature of cable and DSL ISPs that sharing a connection became a thing. IIRC, you used to connect your computer directly to the {cable, DSL} modem without an intervening router, sometimes using USB, as computers having built-in (Ethernet or Wifi) networking wasn't really a thing:

* https://support.dlink.ca/ProductInfo.aspx?m=DSL-2320B