Why would I need to have software firewalls on my devices behind my NAT router at home? The topology is a basic consumer grade one: ISP -> my router (NAT) -> LAN, and vice versa.

If NAT already obfuscates my private addresses through translation, how would a potential adversary connect to anything beyond it?

What “good” would my public IP do for a hacker if I have no ports forwarded?

Is a firewall a second line of defense just in case I execute malware that starts forwarding ports?

I do have software firewalls on all my devices, but that wasn’t an informed choice. I just followed the Arch Wiki’s post installation guidelines.

  • frongt@lemmy.zipEnglish
    14·
    1 day ago

    If you download and run malware, or someone introduces it to your network, a host firewall protects each device. Threats don’t come exclusively via connections inbound from the Internet.

    • emotional_soup_88@programming.devOPEnglish
      1·
      16 hours ago

      Thanks! That was my thought too, but at the moment, I’m running a block all inbound, allow all outbound traffic configuration, which I know is less secure, but I haven’t quite figured out what rules (addresses and ports and states) I need to put into the output chain. Being a beginner, I know that I need ports 80, 442 for websites but that’s about it… Is it 53 for DNS? But what if I use my VPN provider’s DSN? Is it still 53? Well, as you can see, I have some studying to do. 😄

      • frongt@lemmy.zipEnglish
        2·
        14 hours ago

        For lan hosts, block inbound and allow outbound is fine. If you want, you can default deny inbound and outbound at the edge, but you’ll be spending a lot of time troubleshooting and whitelisting, and probably end up having to allow traffic you don’t quite understand in order to get stuff to work.

        It’s more time-effective to reduce your risk of malware in the first place by just not running really sketchy programs. I’d put implementing host-based anti-malware as a higher priority, like Wazuh. And OpenVAS for network scanning.

        But this isn’t a networking topic, it’s cybersecurity.

    • Max-P@lemmy.max-p.meEnglish
      1·
      24 hours ago

      Not all routers have all that great security either. Even if the admin page isn’t exposed to the Internet, you can access it and so does your browser. Just takes a little bit of XSS and oops.

      • Possibly linux@lemmy.zipEnglish
        1·
        11 hours ago

        Some consumer devices expose services to the internet for some unknown reason.

        In IPv6 land some vendors decided that a Firewall is not really necessary