alt Hacker NewsI don't think you even need a stateful firewall. If it's an IoT device that's not meant to provide services to the internet then it seems to me you can just drop all non local subnet originated traffic and get most of the security you would expect with NAT.
If you want to drop all non-local subnet originated traffic, you need to keep state. Otherwise, how can you tell which side originated the flow?
Even that is only a partial solution - UPNP hole punching exploits holes in this logic to allow peer-to-peer traffic into a network which otherwise has a default-deny ACL.