Why would I need to have software firewalls on my devices behind my NAT router at home? The topology is a basic consumer grade one: ISP -> my router (NAT) -> LAN, and vice versa.
If NAT already obfuscates my private addresses through translation, how would a potential adversary connect to anything beyond it?
What “good” would my public IP do for a hacker if I have no ports forwarded?
Is a firewall a second line of defense just in case I execute malware that starts forwarding ports?
I do have software firewalls on all my devices, but that wasn’t an informed choice. I just followed the Arch Wiki’s post installation guidelines.
Thanks! That was my thought too, but at the moment, I’m running a block all inbound, allow all outbound traffic configuration, which I know is less secure, but I haven’t quite figured out what rules (addresses and ports and states) I need to put into the output chain. Being a beginner, I know that I need ports 80, 442 for websites but that’s about it… Is it 53 for DNS? But what if I use my VPN provider’s DSN? Is it still 53? Well, as you can see, I have some studying to do. 😄
You probably want to allow all outbound as things will break otherwise
For lan hosts, block inbound and allow outbound is fine. If you want, you can default deny inbound and outbound at the edge, but you’ll be spending a lot of time troubleshooting and whitelisting, and probably end up having to allow traffic you don’t quite understand in order to get stuff to work.
It’s more time-effective to reduce your risk of malware in the first place by just not running really sketchy programs. I’d put implementing host-based anti-malware as a higher priority, like Wazuh. And OpenVAS for network scanning.
But this isn’t a networking topic, it’s cybersecurity.