This. NAT is not a firewall. It's not intended as a firewall. But to be fair to OP's concerns, NAT does have a natural firewall effect due to how NAT is designed to work. NAT was patch for the shortage of IPv4 addresses, and things went wrong when people started to use NAT as a form of firewall. But than I say again, NAT is not a firewall and should be never considered as a vital security layer in network configurations. That should be handled by a real firewall. If you depend on NAT in order for your network to be secure, your upstream firewall and client firewalls are not configured properly.
Unfortunately, people did start using NAT as a firewall. That's why ISP were reluctant with rolling out IPv6 in the beginning. Almost every provider deploys IPv6 with a good firewall integrated in supplied modem-router combination devices. I was reading about this subject years ago, and I remember a topic where this was discussed. It took me a while but I found the website here.
The answer to your concerning with IPv6 is having a good firewall. That was always the correct answer imho, even when we fooled around with NAT and IPv4 in the past. Now lets take a more technical approach when talking about firewalls and OpenWRT. Please correct me if I'm wrong here.
When we look at the kernel configuration of OpenWRT, we see that net.ipv4.ip_forward
and net.ipv6.conf.all.forwarding
is both enabled by default. That means all inbound traffic can be routed if it has a destination. And the destination is often the router itself when talking about NAT with IPv4, or the end-host when talking about IPv6. The lack of a downstream destination address is the reason why NAT with IPv4 gives an extra security layer.
So what prevents all inbound traffic from reaching their destination when talking about IPv6 and OpenWRT? That's the firewall of course, which should block all inbound traffic by default. Only inbound traffic with explicitly defined allow rules should be able to pass. The firewall in OpenWRT is fw3, which is build on netfilter/iptables. Netfilter operates at kernel level and is considered a very robust stable framework, which makes it an excellent firewall framework. I never seen Netfilter ever fail in my life. I trust it.
But let's take a hypothetical approach here. What if the firewall does fail? A good firewall should fail in a closed state, not allowing any packages to be forwarded anymore. Unfortunately I can't confirm whether this is the case for Netfilter. But what I do know, is when Netlink fails, it should cause a kernel panic because it operates at kernel level. We see that kernel.panic
is to 3 in OpenWRT, which means the router reboots after 3 seconds when a kernel panic occurs. If Netlink doesn't fail in a closed state (and again, I don't know if that is the case), it means that IPv6 hosts with a global address (UGA) are reachable for 3 seconds from the outside. After these 3 seconds, the router reboot itself while dropping all connections, and and the firewall should be in a working state again when it's up. Within this hypothetical 3 seconds window, unauthorized access should be prevented by firewall software running on the host itself.
At host level the firewall should also block all inbound traffic by default, with the exception of explicitly defined allow rules. Public facing services should allow all inbound traffic on a specified port, while LAN restricted services should only allow inbound traffic from restricted subnets or IP addresses on a specified port.
Windows does a good job by enabling the built-in firewall by default. However when talking about Ubuntu.. Ubuntu doesn't enable firewall by default. They don't ship the OS with open ports. Therefore they believe that enabling the firewall isn't necessary. This is so weird imho, as this doesn't account for user actions after deployment. Looks like a dick measuring contest to show of how secure they are (and they do take security very seriously).
In the end, a good configured environment should be still secure despite the lack of NAT. NAT was never designed to be a security measure, just as IPv6 wasn't designed to be used with NAT - in theory at least.
As bonus, if you don't want to expose your IPv6 addresses to the world out of privacy reasons, you can use privacy extensions. Windows enables this by default. Ubuntu is again a weird duck here. It also doesn't enable privacy extensions by default. Alternatively, you can also use DHCPv6 (which is slightly less controversial compared to NAT6 when talking to IPv6 evangelists).