Why would I need to have software firewalls on my devices behind my NAT router at home? The topology is a basic consumer grade one: ISP -> my router (NAT) -> LAN, and vice versa.
If NAT already obfuscates my private addresses through translation, how would a potential adversary connect to anything beyond it?
What “good” would my public IP do for a hacker if I have no ports forwarded?
Is a firewall a second line of defense just in case I execute malware that starts forwarding ports?
I do have software firewalls on all my devices, but that wasn’t an informed choice. I just followed the Arch Wiki’s post installation guidelines.
NAT without a Firewall will translate both ways and may even allow any IP addresses to come in though a established port.
You need a Firewall
NAT is literally network translation, you’re right.
But if your router is not configured to allow remote administration console access, and you are not forwarding any ports, turn off uPnP, and if you’re super paranoid (and your router supports it) blocking external ICMP, then it is functioning quite similar to a perimeter firewall. No unsolicited external traffic goes farther than the WAN side of the router.
NAT will translate both ways ONLY if the outbound (from the internal network) is initiated first.
That’s called a Firewall
Also you don’t need to worry about icmp