Local firewall on Home Assistant?

I’ve searched for more information but could not find anyhing according to a local firewall on HA. Is there any reason why there was never a local firewall inplemented into HA? I mean, I am aware that I can separate my network into different subnets and VLANs and then use my cental router/firewall to controll traffic between them, but a critical device like HA should have the possibility to enable a local firewall in my opinion. There sometimes are reasons having specific devices on the same subnet as HA and therefore it would make sense to have the possibility to only allow the according services locally via HA firewall. And people who don’t want/need it could disable it completely anytime.
But -as always- there may be some good reasons why there is no firewall implemented.
I’m just curious and want to be constructive, no trying to troll here :wink:
I know @agners is mostly the man here who could answer this question, so if he is willing to take his time to answer this, that would be very appreciated.
Thanks!

Local, personal (or what I would call it desktop) firewalls are mostly useful on general purpose operating system, where it is unknown what type of software is running on, or the software which runs on is not fully trustworthy.

Home Assistant OS is designed as an appliance, where we largely know what software is run on. There is no random port open, it is Home Assistant frontend on 8123 and the observer on 4357. Furthermore, add-on are containers, which are in a separated network (this is a feature of the underlying container technology implemented by Docker). Docker than uses iptables, which is a firewall, to setup what ports are publicly accessible. An add-on needs to explicitly tell the system through it’s config what port should be open to the public.

So in a way, there is some firewall functionally already built-in, but it’s largely transparent.

That said, the system could be extended with more (default) rules to increase security still. But so far this hasn’t really come up as a necessary or a problem.

Fair enough, thanks a bunch for your response. I did not know about add-ons being abstracted by Docker and therefore iptables do come in.

Well, security most always unfortunately is not a concern, until it hits in. So personally I would always appreciate to increase security wherever it is possible. You surely know better than me where there are potentially thing to improve in HA, maybe something to keep in mind for the future.

Thanks again man, your answer is very appreciated!