this post was submitted on 29 Dec 2025
13 points (84.2% liked)

networking

3388 readers
2 users here now

Community for discussing enterprise networks and the ensuing chaos that comes after inheriting or building one.

founded 2 years ago
MODERATORS
manifex@sh.itjust.works
13
NAT vs firewall at home (programming.dev)
submitted 1 week ago by emotional_soup_88@programming.dev to c/networking@sh.itjust.works
21 comments fedilink hide all child comments
 

Why would I need to have software firewalls on my devices behind my NAT router at home? The topology is a basic consumer grade one: ISP -> my router (NAT) -> LAN, and vice versa.

If NAT already obfuscates my private addresses through translation, how would a potential adversary connect to anything beyond it?

What "good" would my public IP do for a hacker if I have no ports forwarded?

Is a firewall a second line of defense just in case I execute malware that starts forwarding ports?

I do have software firewalls on all my devices, but that wasn't an informed choice. I just followed the Arch Wiki's post installation guidelines.

you are viewing a single comment's thread
view the rest of the comments
[โ€“] stratself 7 points 1 week ago* (last edited 1 week ago) (1 children)

If NAT already obfuscates my private addresses through translation, how would a potential adversary connect to anything beyond it?

Not an expert but they can try compromising another device on your LAN as a proxy to your rig. Maybe pawn your router and have it open up random ports too. So per-device firewall is defense in depth.

What "good" would my public IP do for a hacker if I have no ports forwarded?

Is a firewall a second line of defense just in case I execute malware that starts forwarding ports?

Malware doesn't need forwarded ports to the internet to function. It can just download a script to a compromised device and wreck havoc on LAN. So if you properly segment your devices and utilize endpoint firewalls it can limit the blast radius and does some detection stuff

Edit: Don't think of NAT as proper firewall, it's just an easy way to share addresses via your router/modem. Your ISP's devices often block inbound connections from the internet by default but that's a firewall configuration, not a NAT

[โ€“] emotional_soup_88@programming.dev 1 points 1 week ago

"Limit the blast radius" was so easy to understand. Thanks! I'll make sure to segment and lock down each device.