Comment by vaylian

6 hours ago

The article says:

> Modern routers ship with firewall policies that deny inbound traffic by default, even when a NAT is not being used.

So no, not every device needs its own firewall. You can have a single firewall at the entrance of your network.

3 comments

vaylian

Reply
fulafel  6 hours ago

Though just like with IPv4 most of the time you shouldn't build on assumed-secure internal networks.

BatteryMountain  5 hours ago

Not always the case and differs by router software.

  • kstrauser  5 hours ago

    Not really. I’m sure there exists some brain dead CPE without a default-deny firewall. It’s just that I’ve never physically seen once, since around 1999 or so.

    Bigger commercial gear, sure, but those would be special-purpose equipment that don’t support NAT either.

    To a rounding error, everything which has NAT enabled by default also has a default-deny inbound firewall enabled by default.