Some responses below. On Mon, 19 Feb 2024 10:01:06 -0800 William Herrin <bill@herrin.us> wrote:
I've never once seen a device that has v6 support and didn't have a stateful v6 firewall on by default (if v6 was "on").
Acknowledged.
So when the user wants to run a home server, their IPv4 options are to create a TCP or UDP port forward for a single service port or perhaps create a generic port forward for every port to a single internal machine. Protocols other than TCP and UDP not supported.
OK, but I'm not sure what you are getting at by saying this is TCP and UDP exclusive... I don't know why it would be; what's the example you think is typically being denied?
They might also have the option of a "bridge" mode in which only one internal host is usable and the IPv4 functions of the device are disabled. The bridge mode is the only "off" setting for the IPv4 firewall.
Correct?
Their IPv6 options *might* include these but also include the option to turn the IPv6 firewall off. At which point IPv4 is still firewalled but IPv6 is not and allows all L4 protocols, not just TCP and UDP.
Also correct?
This isn't how I would characterize any of this, to be honest. I think what you are trying to say is that a v6 firewall can be "off" while IPv6 connectivity remains unhindered, but turning "off" an IPv4 firewall means no hosts behind NAT will continue to have connectivity. The assumption being that a guardrail for someone being really self-destructive is removed. OK. So someone really wanted connectivity and really wanted to disable security. Maybe. I still believe that the statement "IPv6 is typically delivered to "most people" without border security" to be demonstrably false. -- TimH