So you don't want stateful inspection on your private LAN router? Its ok for every hacker to portscan the 100's of IoT devices in your house? You're a very trusting fellow.
How many IoT devices need to allow incoming connections at all? And how many connections do they need to make?
IoT devices, if I had any use for them, would go on my private LAN. My private-public router can do complex stateful tracking, because it only has to handle a few connections at a time. Meanwhile my grown-up internet devices go on the public side and get actual internet access, meaning that e.g. two people inside my house can play an online game with a person outside my house, and aren't slowed down by a complex connection-tracking router. Also means my guests don't get access to my IoT devices.
> How many IoT devices need to allow incoming connections at all? And how many connections do they need to make?
If they need outgoing connections, they likely also need incoming when we are speaking about stateless filtering. Without incoming connections only UDP would be allowed and it would be usually impossible to determine if the packet should be send again (it would only be possible if there was out of band method to detect it).
Ok, I will admit that it's possible to check the TCP headers and just drop incoming SYN packets without ACK, but then you need to start trusting that the IoT device can handle invalid TCP packets.
> Ok, I will admit that it's possible to check the TCP headers and just drop incoming SYN packets without ACK, but then you need to start trusting that the IoT device can handle invalid TCP packets.
I have more faith in that than I have faith in a router that does complex state-tracking logic to not contain RCE vulnerabilities itself.
IoT devices, if I had any use for them, would go on my private LAN. My private-public router can do complex stateful tracking, because it only has to handle a few connections at a time. Meanwhile my grown-up internet devices go on the public side and get actual internet access, meaning that e.g. two people inside my house can play an online game with a person outside my house, and aren't slowed down by a complex connection-tracking router. Also means my guests don't get access to my IoT devices.