[Dagger2]

Yup, repeatedly.

It's true that almost everything comes with a firewall rule that blocks new connections from the WAN to the LAN, so in practice these connections will be blocked on most things by default. But they come with this rule precisely because NAT doesn't do the job.

[mittensc]

> Yup, repeatedly

Cool, me too :)

Anyway, the other side of the argument:

It is the default and default is secure. Users don't have to reason about it, they can assume it works, how doesn't matter and they may lack training/willingness to figure out.

You can't say the same for IPv6 where default is allow (have things changed?, havent checked in a long time)

[Dagger2]

Of course you can say the same for v6. Blocking connections that go from WAN to LAN by default has the same effect on both protocol families. If you assume that having the appropriate firewall rule to do that is the default then inbound connections will also be blocked on v6 by default.

NAT contributes nothing to your security in this scenario, and instead makes it harder (not easier) to understand and reason about what your router is doing.

[mittensc]

> If you assume that having the appropriate firewall rule to do that is the default

That's the thing, it's not the default, default is public ipv6 for everyone and its the users duty to configure firewall...

I could definitely set this up easily, someone like my parents or friends would ask me 'what's IPv6?'

[Dagger2]

Ah, okay. In that case v4 doesn't have a firewall by default either.

That's precisely why routers come configured with a firewall that blocks inbound connections from the WAN -- because the protocol itself doesn't have a firewall by default, and neither does NAT.