[toast0]

> Don’t you need a basic router/nat to protect your systems?

No, not really. It's no longer the 90s so tcp/ip stacks aren't easily crashed. And it's no longer the 90s, so no services are listening by default or it's say openssh which isn't easily crashed either (you may want to consider if you want to accept passwords via ssh though).

Additionally, decent OSes will rate limit responses to pings and SYNs and what not, so you won't be a good reflector out of the box.

[mekster]

You could have a VNC in LAN without password but forgot to limit the source IP.

And the way you say, you need a "decent OS" to avoid flood attacks without tinkering, whichever OS that is.

[toast0]

> You could have a VNC in LAN without password but forgot to limit the source IP.

Sure, but that's not by default. You've got to take affirmative steps to enable that; although it's certainly easier to listen without limiting the source than to do it right.

> And the way you say, you need a "decent OS" to avoid flood attacks without tinkering, whichever OS that is.

Yeah, I just don't know for sure what's decent. I have no problem putting FreeBSD out on the internet without a firewall, and I think Linux would be ok too; but I wouldn't put MacOS if it's got any tcp listening ports, because it can be easily SYN flooded, and I'm not sure off hand if it has ICMP limits. If you put Windows on the internet and tell it it's a 'public' network, it'll run a firewall and you should probably be pretty ok (again, as long as you don't misconfigure applications)