On my old blog, I had a post with the same title. The basic premise was simply this: consumer grade NAT acts as an “accidental” firewall, with your router only allowing traffic back to your PC in the cases where you initiated an outbound connection or you explicitly opened a port up to be statically available (port forwarding). The net result was not as good as a full fledged firewall with content inspection and other features, but to be honest, it prevented many people from having drive-by scanners exploit insecure operating systems and applications.

We are now (20 years later) seeing real adoption of IPv6. Your phone is IPv6 out of the box and most consumer grade carriers are now making both IPv4 and IPv6 connections on your behalf. In general, the claim has been that IPv6 is “too big to scan”, but if your IP address is found, the default firewall in our OS becomes the primary line of defense. The good news is that outbound connections used for webserving are via temporary addresses that don’t accept inbound traffic, but it seems odd that we have lost a “any port not explicitly opened or used” rule in favor of “well, it would be hard to find you scenario.

This doesn’t mean I don’t recommend IPv6 as the default (there are too many benefits when it comes to avoiding port exhuastion and other issues), but it does mean that any failure of the OS firewall becomes a much greater concern for me.