Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
craftkiller 2 days ago

> I don’t want some of my devices to be publicly addressable at all, even if I mess up something at the firewall while updating the rules. NAT provides this by default.

Do you ever connect your laptop to any network other than your home network? For example, public wifi hotspots, hotel wifi, tech conferences, etc? If so, you need to be running a firewall _on your laptop_ anyway because your router is no longer there to save you from the other people on that network.

It's also a good idea even inside your home network, because one compromised device on your network could then lead to all your other firewall-less devices being exploited.

iamnothere 2 days ago | parent | next [-]

Not every device can run its own firewall. IoT devices, NVR systems, etc should be cordoned off from the internet but typically cannot run their own firewall.

iso1631 2 days ago | parent [-]

Sure, but they sit on an iot vlan where your firewall prevents access except specificly allowed services

iamnothere 2 days ago | parent [-]

You must have not read my original post. I said that the NAT provides an additional fallback layer of safety in case you accidentally misconfigure your firewall. (This has happened to me once before while working late and I’ve also seen it in the field.)

icedchai 2 days ago | parent | prev [-]

Most public wifi has client isolation enabled for this reason. Firewall or not, you can't communicate with other clients.

craftkiller a day ago | parent [-]

Only if they're set up properly, which is quite the gamble. I was recently in a hotel and I listed all the chromecast devices throughout the entire hotel. I could see what everyone was watching and if I was a lesser person I could have controlled their TVs or changed what they were watching.

icedchai a day ago | parent [-]

What about device like those Chromecasts which don't even have firewalls? The only real solution would be to bring your own hardware firewall / access point and connect it as a client off the hotel wifi. Who is really going to do that?