[axytol]

Not OP and certainly not in the anti-IPv6 camp.

I'm wondering though: could you build a case that under IPv4, a misconfigured NAT would only result in lost connectivity for nodes behind the router, while for IPv6 a misconfigured firewall and worse triggered through a vulnerability, would then result in protected nodes being exposed?

I know NAT-PMP (port mapping) vulnerabilities exist, allowing external actors to set port mappings to hosts behind NAT, but this seems a bit harder to exploit than a bypassed firewall.

[ianlevesque]

I don't think that's true in general because each of these end-user routers have their own sharp edges. IPv4 consumer routers have a DMZ option which would, for at least 1 device, be the same as taking down your stateful firewall. Also, thankfully, in all of the examples I've seen in the wild, the stateful firewall was just on by default, much as NAT is on by default. In both cases you are taking steps to compromise your own security, that most people won't bother to do.

Finally, the risk to an individual machine 'loose on the internet' is lower than its ever been because Windows has for years enabled a firewall by default on its own, and macOS doesn't expose any open ports by default either. That does leave printers, IoT devices, and the like, but now we're really pretty far into the weeds of lots of non-default customization combined with individual CVEs in non-computing hardware.

[iso1631]

If my firewall failed then the packet won't reach my 192.168.0.1 DMZ server as it will likely never be translated from my real 12.34.56.78 IP address (as the translation would be part of that stateful firewall)

Sure there are exceptions, but you are massively reducing your risk by not having your toaster having a public address by default and having something actively have to translate it to a public address