Not every device can run its own firewall. IoT devices, NVR systems, etc should be cordoned off from the internet but typically cannot run their own firewall.

▲

iso1631 2 days ago | parent [-]

Sure, but they sit on an iot vlan where your firewall prevents access except specificly allowed services

	▲	iamnothere 2 days ago \| parent [-]
		You must have not read my original post. I said that the NAT provides an additional fallback layer of safety in case you accidentally misconfigure your firewall. (This has happened to me once before while working late and I’ve also seen it in the field.)