NAT is not a Firewall

If you download and run malware, or someone introduces it to your network, a host firewall protects each device. Threats don’t come exclusively via connections inbound from the Internet.

If NAT already obfuscates my private addresses through translation, how would a potential adversary connect to anything beyond it?

Not an expert but they can try compromising another device on your LAN as a proxy to your rig. Maybe pawn your router and have it open up random ports too. So per-device firewall is defense in depth.

What “good” would my public IP do for a hacker if I have no ports forwarded?

Is a firewall a second line of defense just in case I execute malware that starts forwarding ports?

Malware doesn’t need forwarded ports to the internet to function. It can just download a script to a compromised device and wreck havoc on LAN. So if you properly segment your devices and utilize endpoint firewalls it can limit the blast radius and does some detection stuff

Edit: Don’t think of NAT as proper firewall, it’s just an easy way to share addresses via your router/modem. Your ISP’s devices often block inbound connections from the internet by default but that’s a firewall configuration, not a NAT

The difference between NAT and firewalls is a common point of confusion, and particularly irks me because I am very pro-IPv6 and very anti-NAT. Nevertheless, we should start with the raison d’etre for NAT and firewalls.

Network Address Translation (NAT) is a variety of technologies used to map one (or more) external-facing IP addresses to one (or more) internal IP addresses. The various flavors of NAT are described in RFC2663, but suffice it to say that the most common situation is to share a single public IP with many internal machines on a LAN, by rewriting port numbers to distinguish each internal machine’s packets from each other. This is usually called Network Address/Port Translation (NAPT) and necessarily only works for protocols that the translator understands (usually just TCP, UDP, and ICMP).

A firewall is a security feature that inspects and rejects unwanted traffic from entering or exiting a network. A simple configuration would be to reject all ingress traffic, except when that traffic is expected as a reply to an earlier packet sent from the internal network. This sort of simple configuration is sufficient for client-server applications, such as web browsing, but will not support peer-to-peer software nor would it support hosting services at home. Note that rejecting traffic at the firewall still means that the packet had to be sent through the ISP all the way to the firewall, and then blocked there.

With these definitions in mind, all commercially-available home routers for the past two decades have always included both a NAT and a default firewall, even if people did not necessarily notice the presence of the latter. This has led to the perception that only the NAT is what keeps the internal network safe, but it really doesn’t.

Perhaps the best way I can explain why NAT != security is by pointing to the Wikipedia page on NAT Traversal. This is when various applications (legitimate or not) have a valid need to overcome the port-mapping that NAPT does, or whatever else molestation that the translator is doing. STUN and TURN are two specific technologies explicitly designed to help break through a NAT, and they’re in common use for enabling VoIP in video games and video/screen sharing in telepresence applications. Those two examples have a need to send traffic directly inbound to a user’s machine, and the fact that it’s possible means that NAT can (and has) been abused to break into networks.

Here is the general structure of a malicious break-in to a network, in spite of NAT, requiring only an unwitting machine on the inside to help jump-start the attack. Consider that we have a secure machine (eg accounting database server) on the network, labeled S. And we have a number of user machines, with one of them being labeled U. Somewhere faraway, Mallory has set up a scam website on HTTP port 80, and convinces the user on machine U to visit it. Through any available mechanism that Mallory can conceive, Mallory gets U to send an outbound packet with a fake source IP and with src port 22. Actually, Mallory gets U to send loads of packets, each from a different source IP. By sheer brute force, one of these packets will have the forged source IP of S and port 22.

From the NAPT translator’s perspective, it just sees a bunch of outbound connection attempts to a faraway server. So it happily does translation and passes the connection through. It also marks the port as “established”, meaning a reply will be allowed back into the network. It turns out, all of these connections are to Mallory’s machine. Uh oh.

Mallory can now send packets back towards the the internal network, and the NAT lets those packets through. Mallory specifically crafts an SSH connection attempt, and lo and behold, the accounting machine is running a seriously out-of-date, unpatched version of SSH server (why? idk). Pwned. You can replace any part of this theoretical attack to make it more plausible, but that’s the rub: it’s entirely possible. NAT does not provide security. Mallory can trick the translator.

Why didn’t the firewall do anything? As explained before, a default firewall allows any machine on the inside to talk to the internet. But that was not a wise choice, because the S machine really shouldn’t ever be talking to the internet. Good network design would have blocked outbound connections from the S machine’s IP, because S has no legitimate reason for doing so. This is the principle of least-privilege.

Even better design would be defense in depth: even with the network’s firewall configured to reject any attempt by S to reach the internet, S should also be running its own firewall. Two > One. And that firewall can be a lot less complicated, because it only needs to deal with a single machine’s traffic. Did S need to have an SSH server? Turn that off, and then configure S’s firewall to drop port 22 inbound traffic.

TL;DR: check your firewall settings. Imagine ways to break into your own network. Fix what you find.

To a certain extent, NAT is a type of firewall. If you don’t forward any ports in, and don’t allow remote access or administration, then your internal network is unreachable from the public internet. This is how basically every consumer router has functioned for a long while.

You can get more expensive systems that offer further firewall and intrusion detection, but they cost more money and require more knowledge to properly secure and administer.

With either hardware setup, you should keep up with firmware updates to patch exploits and make sure you monitor the vendor in case the hardware becomes permanently compromised.

EDIT: I should add, if your computer is compromised by a virus or something, then a firewall won’t necessarily stop that. Most firewalls are focused on blocking inbound connections. While you could technically block outbound countries and ranges with a better firewall capability, once they’re in, that’s kinda game over. In that case an IDS/IPS system might help, but really just being aware of what you’re doing and running, as well as running a modern AV software, will go a lot farther than trying to set up a hardware firewall appliance.

EDIT2: and yes, I’m just talking perimeter network firewall stuff. As others are saying, but shouldn’t have to, you should be running the firewall included with your OS as well. You could segment by VLAN as well, but that gets into more advanced topologies that may not be needed in your setup.