Why would I need to have software firewalls on my devices behind my NAT router at home? The topology is a basic consumer grade one: ISP -> my router (NAT) -> LAN, and vice versa.
If NAT already obfuscates my private addresses through translation, how would a potential adversary connect to anything beyond it?
What “good” would my public IP do for a hacker if I have no ports forwarded?
Is a firewall a second line of defense just in case I execute malware that starts forwarding ports?
I do have software firewalls on all my devices, but that wasn’t an informed choice. I just followed the Arch Wiki’s post installation guidelines.
That’s called a Firewall
Also you don’t need to worry about icmp
I quick search led me to: https://www.tencentcloud.com/techpedia/101586
However, in an ordinary consumer grade scenario, I don’t see how anybody other than the ISP could send ICMP messages to one’s router, which is why I don’t worry about it.
ICMP is important for routing related functions like MTU detection. I would allow all ICMP but if you much block it for some reason make sure to whitelist packet too big and probably destination unreachable.
On a modern connection ping is not much of a threat as it takes minimal resources to respond. Modern hardware can handle thousands of pings with no issue.