Why would I need to have software firewalls on my devices behind my NAT router at home? The topology is a basic consumer grade one: ISP -> my router (NAT) -> LAN, and vice versa.

If NAT already obfuscates my private addresses through translation, how would a potential adversary connect to anything beyond it?

What “good” would my public IP do for a hacker if I have no ports forwarded?

Is a firewall a second line of defense just in case I execute malware that starts forwarding ports?

I do have software firewalls on all my devices, but that wasn’t an informed choice. I just followed the Arch Wiki’s post installation guidelines.

  • frongt@lemmy.zipEnglish
    1·
    1 day ago

    Through any available mechanism that Mallory can conceive, Mallory gets U to send an outbound packet with a fake source IP and with src port 22. Actually, Mallory gets U to send loads of packets, each from a different source IP.

    While possibly, this is generally unlikely to achieve, unless Mallory can convince U to run malicious code with elevated privileges. Binding to ports under 1024 and forging TCP packets require elevated privileges on any user OS.

    • litchralee@sh.itjust.worksEnglish
      1·
      1 day ago

      In my mind, I figured that an attacker would sidestep binding to L3 at all, and would just craft raw L2 packets that contain TCP headers with src_addr of every possible address in the subnet. But that too would require elevated privileges, so point taken.

      That said, using most of the same general scenario where S is blitheringly unsecured against internal threats – under the false pretense that NAT somehow provides security – a DNS rebinding attack that uses an unwitting user’s web browser to proxy Mallory’s traffic to S could succeed. Maybe not SSH per-se, but any internal service that S is hosting would be vulnerable.

      This isn’t an attack that’s per-se exacerbated by NAT, but a good-and-proper firewall config at the network and on S would easily protect against this, which is why I mention it. If NAT is believed to be “security”, then almost certainly the firewall configuration will be overlooked and attack vectors will be left open.

      • borari@lemmy.dbzer0.comEnglish
        1·
        22 hours ago

        Typically you’d just run a bind C2 implant on the User machine that reaches out to the attackers C2 servers to retrieve cached commands to execute. Yeah NAT isn’t going to stop it, but tbh a stateful firewall isn’t really gonna stop it either.