I’ve spent some time searching this question, but I have yet to find a satisfying answer. The majority of answers that I have seen state something along the lines of the following:

  1. “It’s just good security practice.”
  2. “You need it if you are running a server.”
  3. “You need it if you don’t trust the other devices on the network.”
  4. “You need it if you are not behind a NAT.”
  5. “You need it if you don’t trust the software running on your computer.”

The only answer that makes any sense to me is #5. #1 leaves a lot to be desired, as it advocates for doing something without thinking about why you’re doing it – it is essentially a non-answer. #2 is strange – why does it matter? If one is hosting a webserver on port 80, for example, they are going to poke a hole in their router’s NAT at port 80 to open that server’s port to the public. What difference does it make to then have another firewall that needs to be port forwarded? #3 is a strange one – what sort of malicious behaviour could even be done to a device with no firewall? If you have no applications listening on any port, then there’s nothing to access. #4 feels like an extension of #3 – only, in this case, it is most likely a larger group that the device is exposed to. #5 is the only one that makes some sense; if you install a program that you do not trust (you don’t know how it works), you don’t want it to be able to readily communicate with the outside world unless you explicitly grant it permission to do so. Such an unknown program could be the door to get into your device, or a spy on your device’s actions.

If anything, a firewall only seems to provide extra precautions against mistakes made by the user, rather than actively preventing bad actors from getting in. People seem to treat it as if it’s acting like the front door to a house, but this analogy doesn’t make much sense to me – without a house (a service listening on a port), what good is a door?

    • MajorMajormajormajor@lemmy.ca
      link
      fedilink
      arrow-up
      2
      ·
      9 months ago

      My setup is pretty basic, only thing I have is a media server accessed locally, and a pi running pihole and pivpn that has a port forwarded on my router for remote access. The pi has password login disabled, and the port forward is set to the static IP set for the pi with my router. The router has the firewall set, but nothing on any other machine. Do I need more?

        • MajorMajormajormajor@lemmy.ca
          link
          fedilink
          arrow-up
          1
          ·
          9 months ago

          wire guard vpn port

          This is the only thing forwarded. As for devices the worst offender would be my Roku TV but I’m not sure how much of a security threat that actually would be. More of a privacy threat, hence running pihole.

          • Kalcifer@sh.itjust.worksOP
            link
            fedilink
            arrow-up
            1
            ·
            9 months ago

            but I’m not sure how much of a security threat that actually would be. More of a privacy threat, hence running pihole.

            It is important to note that being unaware of something’s level of security is not an argument that it is more secure, or not worthy of scrutiny.

    • Kalcifer@sh.itjust.worksOP
      link
      fedilink
      arrow-up
      1
      ·
      9 months ago

      For most people at home their router also does firewalling and NAT, and that is enough.

      It is important to note (as was pointed out by others in this thread) that one must also consider threats emanating from within the LAN, as well: Do you have guests that you allow onto your network with potentially un-vetted devices? Do you have other network-capable devices connected to your network that you cannot guarantee their security? Can you guarantee that there are no unintended services with potential security vulnerabilities listening to ports on your device? If so, it is worth considering, at the very least, a packet filtering firewall, e.g. nftables, and if you cant trust the services running on your device, perhaps also an application layer firewall like OpenSnitch.