Why would I need to have software firewalls on my devices behind my NAT router at home? The topology is a basic consumer grade one: ISP -> my router (NAT) -> LAN, and vice versa.
If NAT already obfuscates my private addresses through translation, how would a potential adversary connect to anything beyond it?
What “good” would my public IP do for a hacker if I have no ports forwarded?
Is a firewall a second line of defense just in case I execute malware that starts forwarding ports?
I do have software firewalls on all my devices, but that wasn’t an informed choice. I just followed the Arch Wiki’s post installation guidelines.
To a certain extent, NAT is a type of firewall. If you don’t forward any ports in, and don’t allow remote access or administration, then your internal network is unreachable from the public internet. This is how basically every consumer router has functioned for a long while.
You can get more expensive systems that offer further firewall and intrusion detection, but they cost more money and require more knowledge to properly secure and administer.
With either hardware setup, you should keep up with firmware updates to patch exploits and make sure you monitor the vendor in case the hardware becomes permanently compromised.
EDIT: I should add, if your computer is compromised by a virus or something, then a firewall won’t necessarily stop that. Most firewalls are focused on blocking inbound connections. While you could technically block outbound countries and ranges with a better firewall capability, once they’re in, that’s kinda game over. In that case an IDS/IPS system might help, but really just being aware of what you’re doing and running, as well as running a modern AV software, will go a lot farther than trying to set up a hardware firewall appliance.
EDIT2: and yes, I’m just talking perimeter network firewall stuff. As others are saying, but shouldn’t have to, you should be running the firewall included with your OS as well. You could segment by VLAN as well, but that gets into more advanced topologies that may not be needed in your setup.
NAT without a Firewall will translate both ways and may even allow any IP addresses to come in though a established port.
You need a Firewall
NAT is literally network translation, you’re right.
But if your router is not configured to allow remote administration console access, and you are not forwarding any ports, turn off uPnP, and if you’re super paranoid (and your router supports it) blocking external ICMP, then it is functioning quite similar to a perimeter firewall. No unsolicited external traffic goes farther than the WAN side of the router.
NAT will translate both ways ONLY if the outbound (from the internal network) is initiated first.
That’s called a Firewall
Also you don’t need to worry about icmp
Thanks for reminding me about firmware updates! I was two releases behind on my routers firmware. 😬