Why would I need to have software firewalls on my devices behind my NAT router at home? The topology is a basic consumer grade one: ISP -> my router (NAT) -> LAN, and vice versa.
If NAT already obfuscates my private addresses through translation, how would a potential adversary connect to anything beyond it?
What “good” would my public IP do for a hacker if I have no ports forwarded?
Is a firewall a second line of defense just in case I execute malware that starts forwarding ports?
I do have software firewalls on all my devices, but that wasn’t an informed choice. I just followed the Arch Wiki’s post installation guidelines.
For lan hosts, block inbound and allow outbound is fine. If you want, you can default deny inbound and outbound at the edge, but you’ll be spending a lot of time troubleshooting and whitelisting, and probably end up having to allow traffic you don’t quite understand in order to get stuff to work.
It’s more time-effective to reduce your risk of malware in the first place by just not running really sketchy programs. I’d put implementing host-based anti-malware as a higher priority, like Wazuh. And OpenVAS for network scanning.
But this isn’t a networking topic, it’s cybersecurity.