this post was submitted on 29 Dec 2025
13 points (84.2% liked)

networking

3389 readers
1 users here now

Community for discussing enterprise networks and the ensuing chaos that comes after inheriting or building one.

founded 2 years ago
MODERATORS
manifex@sh.itjust.works
13
NAT vs firewall at home (programming.dev)
submitted 1 week ago by emotional_soup_88@programming.dev to c/networking@sh.itjust.works
21 comments fedilink hide all child comments
 

Why would I need to have software firewalls on my devices behind my NAT router at home? The topology is a basic consumer grade one: ISP -> my router (NAT) -> LAN, and vice versa.

If NAT already obfuscates my private addresses through translation, how would a potential adversary connect to anything beyond it?

What "good" would my public IP do for a hacker if I have no ports forwarded?

Is a firewall a second line of defense just in case I execute malware that starts forwarding ports?

I do have software firewalls on all my devices, but that wasn't an informed choice. I just followed the Arch Wiki's post installation guidelines.

you are viewing a single comment's thread
view the rest of the comments
[–] possiblylinux127@lemmy.zip 1 points 1 week ago (1 children)

NAT without a Firewall will translate both ways and may even allow any IP addresses to come in though a established port.

You need a Firewall

[–] hydrashok@sh.itjust.works 2 points 1 week ago* (last edited 1 week ago) (1 children)

NAT is literally network translation, you’re right.

But if your router is not configured to allow remote administration console access, and you are not forwarding any ports, turn off uPnP, and if you’re super paranoid (and your router supports it) blocking external ICMP, then it is functioning quite similar to a perimeter firewall. No unsolicited external traffic goes farther than the WAN side of the router.

NAT will translate both ways ONLY if the outbound (from the internal network) is initiated first.

[–] possiblylinux127@lemmy.zip 1 points 1 week ago (1 children)

That's called a Firewall

Also you don't need to worry about icmp

[–] emotional_soup_88@programming.dev 1 points 1 week ago (1 children)

I quick search led me to: https://www.tencentcloud.com/techpedia/101586

However, in an ordinary consumer grade scenario, I don't see how anybody other than the ISP could send ICMP messages to one's router, which is why I don't worry about it.

[–] possiblylinux127@lemmy.zip 2 points 1 week ago

ICMP is important for routing related functions like MTU detection. I would allow all ICMP but if you much block it for some reason make sure to whitelist packet too big and probably destination unreachable.

On a modern connection ping is not much of a threat as it takes minimal resources to respond. Modern hardware can handle thousands of pings with no issue.