this post was submitted on 29 Dec 2025
13 points (84.2% liked)

networking

3389 readers
10 users here now

Community for discussing enterprise networks and the ensuing chaos that comes after inheriting or building one.

founded 2 years ago
MODERATORS
manifex@sh.itjust.works
13
NAT vs firewall at home (programming.dev)
submitted 1 week ago by emotional_soup_88@programming.dev to c/networking@sh.itjust.works
21 comments fedilink hide all child comments
 

Why would I need to have software firewalls on my devices behind my NAT router at home? The topology is a basic consumer grade one: ISP -> my router (NAT) -> LAN, and vice versa.

If NAT already obfuscates my private addresses through translation, how would a potential adversary connect to anything beyond it?

What "good" would my public IP do for a hacker if I have no ports forwarded?

Is a firewall a second line of defense just in case I execute malware that starts forwarding ports?

I do have software firewalls on all my devices, but that wasn't an informed choice. I just followed the Arch Wiki's post installation guidelines.

you are viewing a single comment's thread
view the rest of the comments
[–] frongt@lemmy.zip 3 points 1 week ago* (last edited 1 week ago)

For lan hosts, block inbound and allow outbound is fine. If you want, you can default deny inbound and outbound at the edge, but you'll be spending a lot of time troubleshooting and whitelisting, and probably end up having to allow traffic you don't quite understand in order to get stuff to work.

It's more time-effective to reduce your risk of malware in the first place by just not running really sketchy programs. I'd put implementing host-based anti-malware as a higher priority, like Wazuh. And OpenVAS for network scanning.

But this isn't a networking topic, it's cybersecurity.