You will choose your firewall or one will be chosen for you. There is no avoiding this unless you want your network to be completely open to external connections (bad idea).
If you use the firewall built-in to your router, odds are that firewall is just the bare minimum in terms of features. If your router was provided by your ISP, odds are that router has a backdoor.
If you run a dedicated firewall operating system (pFsense, Opnsense, etc.), then you have access to advanced features. Like the ability to configure a network-wide VPN, or create subnets and VLANs to separate your trusted vs. untrusted devices and/or guest networks. You can also block domains known to serve ads, botnets and malware at the network level.
Just running your own firewall will not help with security very much (aside from removing any ISP-added backdoors).
To get the most out of a firewall requires leveraging the advanced features and practicing good security hygiene.
One major function of a firewall is the ability to port-forward. This is how you expose services running on your network to the public internet in a limited and secure way. However, these days, most people do not have a dedicated IP address that they can forward ports to. Rather, the ISPs use one public IP to serve many customers. Kinda like how many users share a UTXO in a custodial account.
If you want to expose a service publicly, but you don't have a dedicated IP, you have to use some kind of tunneling service (Cloudflare Tunnels, Tailscale Tunnels, etc.) Using tunnels does not require any port forwarding.
On a related note, if you run a public service, its only a matter of time before you experience a DDOS. Until we get local AI models that can monitor and respond to traffic patterns in real-time, we have tools like Crowdsec which curate blocklists from crowdsourced data and can be integrated to your firewall to block malicious traffic patterns.
On top of dedicated firewalls like the ones running on your router or server, there are also device-level firewalls. Every windows PC has a firewall built-in. On debian, people use ufw (uncomplicated firewall) or other software to further restrict network traffic between devices.
Security is about adding layers of defense. Running a dedicated firewall is a great way to add a network-wide layer of control and protection that you can build on over time.
Does it get messy running a node?
No? Of course, if misconfigured, a firewall can lead to all kinds of issues.
I'll have to look more deeply into this.
Thanks for all the details
reply