Home users are generally expected to set the Windows Firewall to the Private profile when they are connected to their home network. The most common setup is being connected to the ISP provided router.
If the ISP provides IPv6 connectivity the connected computer will have a globally routable IPv6 address. This means that all it's ports and applications are directly exposed to the internet. With IPv4 there's usually NAT in between which acts as a firewall.
The security of this depends on what applications are running and what ports are open. In typical configurations there might be a few things accessible. At the very least there will be the Windows file sharing the RPC communication ports. These functionalities have been affected by security issues in the past.
Some routers (including mine) has an "IPv6 firewall" which simply drops all inbound IPv6 traffic. But if I actually want to open at least one inbound port for some application (such as Remote Desktop) then I have no choice but to expose everything to everyone.
Does this not mean that an IPv6-enabled computer must pick the Public profile because anyone (not just trusted devices) can connect?
Best Answer
No. Neither the Windows firewall nor a competent router's firewall is "all or nothing".
The "Private" mode doesn't actually allow all connections from everywhere: most of the default rules are limited to "This subnet" only, which for IPv6 means that even in this mode, only other hosts within the same /64 (e.g. just your home hetwork) will be accepted. Foreign connections remain blocked.
(Note also that the built-in Windows Firewall knows about higher layers than just TCP ports: it can also restrict access to individual RPC services even if they're running on a shared port. This also means that SMB file-sharing access doesn't necessarily automatically grant RPC-over-SMB access.)
There are exceptions to "same subnet" being default (e.g. Remote Desktop is wide open as MS trusts NLA), but those are easy to change via
wf.msc.Which brings to the second reason: even if the profile had bad defaults, just having two customizable profiles is in itself a feature useful by many advanced users (who would still be able to configure at least custom rules for different security levels).
NAT doesn't act as a firewall; it is used in addition to a firewall. Yes, you could say that it provides an extra layer against distant attackers – due to private LAN addresses being unroutable on the Internet – but that has nothing to do with actual packet filtering that a firewall does.
If you have just NAT but no other form of packet filtering, then your immediate WAN neighbours still have ways of reaching inside your LAN with just an
ip route add.That's a significant omission in your router's firmware then. If its firewall supports custom "allow-specific, deny-all" rules for incoming IPv4, there is no reason it cannot support the same for IPv6.
In both IPv4 and IPv6, it is trivial for a router to implement a firewall that passes through inbound connections to a specific host only, and/or to a specific port only. Most home routers don't even implement their own; they ship standard Linux iptables, so they have no excuse.
If you're completely sure your router doesn't offer custom IPv6 rules (they might be named "virtual server" or "port forwarding" despite not involving DNAT), check if there is a firmware update available.