It goes beyond that. With IPV4 you have the further protection of private subnets not even routing across the public internet - it’s broke by default, no configuration necessary.
Your attack surface is primarily your firewall which admittedly might be an easy target - but not as easy as an unprotected Windows box.
Private address ranges are a human convention and there have been instances in the past of upstream routers passing them on.[1] Relying on other people to do your filtering for you is a bad idea. I'm going to put the rules in my own router, whether those addresses are (potentially) globally routable or are designated as private.
The use of small private pools has even helped attackers who would inject browser scripts probing the well-known prefixes.[2]
Exactly! Duplicating my point in a thread below to drive your point home:
NAT was an added layer on top of firewall rules because inbound ports had to be mapped to a particular host and port since the router would not know which host to send to. This created a default opt out experience because for a port on your machine to get accessed, a packet must pass inbound rules and match a port map table entry.
NAT was created for one reason only: because there weren't enough IPv4 addresses to go around.
Port mapping and connection tracking firewalls were invented in 1989,[1][2] while network translation was created in 1994. [3][4] The private address space was only reserved in 1996.[5] The Firewalls book was published in 1994 (which meant that it was being written in the 1992-3 timeframe).[6]
> it’s broke by default, no configuration necessary.
Which is why all sorts of software needs to deal with bullshit like STUN, TURN, etc, to get peer-to-peer connections working. There has to be all sorts of address discovery.
And even that won't work once you get into CG-NAT with tends to have two layers of NAT.
How much of the centralization of the Internet has occurred because people can't just talk to each other (by simply firewall hole punching via UPnP/PCP)?
Your attack surface is primarily your firewall which admittedly might be an easy target - but not as easy as an unprotected Windows box.