Check you printer on Shodan.

No mention anywhere about consumer printers behind routers using NAT.

Am I correct to assume that such a printer, like mine, is not Internet facing, so not vulnerable? It did connect and download an update as soon as I plugged it in.

Setting this printer up was a mission; the instructions that came with it assumed the user has a CD-ROM. in 2017? (Finding the ethernet jack took persistence, it's in the bowels of the printer, However, if I'd noticed the bright orange sticker on the side, which I just did, I might have found it more quickly.) Also, going to Brother.com and following links, and searching, did not find the straightforward instructions to set it up on a debian-derived distro. Eventually I found an AskUbuntu post that linked into that same Brother site. Works well.

Anyway, nothing suggested that I point my browser at it. Again, a "duh" moment for me. Doing so, the need to set up an administrator password is obvious.

If your printer made an internet connection automatically, and automatically DL's an update, then your printer is Internet facing.

Shodan showed that my printer, an HP P1606dn, can be exposed as well. But, I removed it from my WIFI router and plugged it into my local USB port two years ago because of this exposure problem. Netstat -anlp will show a problem if cupsd is pointing to anything else other than 0.0.0.0:631 or your printer has an external address LISTENING line.

Again, it's not magic. Don't ever be surprised by what you see, or who sees you ...

I didn't get that. Unless you set it up, a device behind a router using NAT cannot be reached by an inbound connection. Something on the internet would have to break into an outbound connection, say by hacking some site, and then only while the printer had opened such a connection.

Alas, that's IPv4 thinking. IPv6 doesn't need or use NAT. I need to check out the story with my router; it's an ISP supplied, designed by them, made by Technicolor, and has a "Firewall" turned on. The lack of any details about what that means or does is a worry.

"can be exposed", but also Shodan can show if it is exposed. They have a database of devices that are really exposed, which they aggregate from sites that scan the internet. Mine isn't there.

It's more flexible to have the printer on the LAN. That way a PC doesn't have to be turned on to print; there's not just me using it.

I thought netstat is to be run on the host with the ports, that it won't show ports open on another device on the LAN. nmap shows the printer listening on ports 80, 443, 515, 631 and 9100, but on-line port scanners show nothing open, on IPv4 or IPv6.

It is "IPv4 thinking" because 70% of the Internet (at least in the USA) is still IPv4. My last ISP, Spectrum, didn't support IPv6 in my area, and neither does my new ISP, Allo Communications. That's why I run Hurricane Electric's IPv6 tunnel, which makes IPv6 my default, with a fallback to IPv4 in under a second.