I'm not talking about threat models or exploits, I'm talking about the order of events, how most consumer grade CPEs actually work.
For an inbound connection again, there is a packet filter first, that will permit inbound connections based on whatever filter parameters are defined (usually matching established sessions, or new sessions filtered by just protocol and dport), and if that clears, the second step is NAT.
In both cases, the filter happens before the translation.
For an inbound connection again, there is a packet filter first, that will permit inbound connections based on whatever filter parameters are defined (usually matching established sessions, or new sessions filtered by just protocol and dport), and if that clears, the second step is NAT.
In both cases, the filter happens before the translation.