this post was submitted on 29 Dec 2025
13 points (84.2% liked)

networking

3391 readers
22 users here now

Community for discussing enterprise networks and the ensuing chaos that comes after inheriting or building one.

founded 2 years ago
MODERATORS
manifex@sh.itjust.works
13
NAT vs firewall at home (programming.dev)
submitted 1 week ago by emotional_soup_88@programming.dev to c/networking@sh.itjust.works
21 comments fedilink hide all child comments
 

Why would I need to have software firewalls on my devices behind my NAT router at home? The topology is a basic consumer grade one: ISP -> my router (NAT) -> LAN, and vice versa.

If NAT already obfuscates my private addresses through translation, how would a potential adversary connect to anything beyond it?

What "good" would my public IP do for a hacker if I have no ports forwarded?

Is a firewall a second line of defense just in case I execute malware that starts forwarding ports?

I do have software firewalls on all my devices, but that wasn't an informed choice. I just followed the Arch Wiki's post installation guidelines.

you are viewing a single comment's thread
view the rest of the comments
[โ€“] emotional_soup_88@programming.dev 1 points 1 week ago (2 children)

Thanks! That was my thought too, but at the moment, I'm running a block all inbound, allow all outbound traffic configuration, which I know is less secure, but I haven't quite figured out what rules (addresses and ports and states) I need to put into the output chain. Being a beginner, I know that I need ports 80, 442 for websites but that's about it... Is it 53 for DNS? But what if I use my VPN provider's DSN? Is it still 53? Well, as you can see, I have some studying to do. ๐Ÿ˜„

[โ€“] frongt@lemmy.zip 3 points 1 week ago* (last edited 1 week ago)

For lan hosts, block inbound and allow outbound is fine. If you want, you can default deny inbound and outbound at the edge, but you'll be spending a lot of time troubleshooting and whitelisting, and probably end up having to allow traffic you don't quite understand in order to get stuff to work.

It's more time-effective to reduce your risk of malware in the first place by just not running really sketchy programs. I'd put implementing host-based anti-malware as a higher priority, like Wazuh. And OpenVAS for network scanning.

But this isn't a networking topic, it's cybersecurity.

[โ€“] possiblylinux127@lemmy.zip 1 points 1 week ago

You probably want to allow all outbound as things will break otherwise