Comment by Dagger2

1 month ago

That whole section is talking about outbound connections:

    When an internal endpoint opens an outgoing session through a NAT,
    the NAT assigns a filtering rule for the mapping between an internal
    IP:port (X:x) and external IP:port (Y:y) tuple.

When you connect outwards, the NAT creates a state table entry which matches inbound packets corresponding to that outbound connection, and this section is discussing which packets will match those entries.

Don't get distracted by its use of the word "filtering". It's not talking about unsolicited inbound connections, which is what we're talking about in this thread.

> That whole section is talking about outbound connections

Erm... no? Immediately after the paragraph you cited, it continues with

   The key behavior to describe is what criteria are used by the NAT to
   filter packets originating from specific external endpoints.

and then, on "Address-Dependent Filtering", it says

    Additionally, the NAT will filter out packets
    from Y:y destined for the internal endpoint X:x if X:x has not
    sent packets to Y:any previously [...]. In other words, for receiving packets from a
    specific external endpoint, it is necessary for the internal
    endpoint to send packets first to that specific external
    endpoint's IP address.

Meaning: unsolicited inbound connections will be filtered out.