Why would I need to have software firewalls on my devices behind my NAT router at home? The topology is a basic consumer grade one: ISP -> my router (NAT) -> LAN, and vice versa.
If NAT already obfuscates my private addresses through translation, how would a potential adversary connect to anything beyond it?
What “good” would my public IP do for a hacker if I have no ports forwarded?
Is a firewall a second line of defense just in case I execute malware that starts forwarding ports?
I do have software firewalls on all my devices, but that wasn’t an informed choice. I just followed the Arch Wiki’s post installation guidelines.
Not all routers have all that great security either. Even if the admin page isn’t exposed to the Internet, you can access it and so does your browser. Just takes a little bit of XSS and oops.
Some consumer devices expose services to the internet for some unknown reason.
In IPv6 land some vendors decided that a Firewall is not really necessary