1:many NAT requires an affirmative choice on where to route incoming packets that aren't part of an existing stream.
In adaptation to that, most attacks are malware spread by email, or attack browser vulnerabilities, or attack services running on network devices, especially remote management systems.
It's not even technically correct; it's just wrong.
NAT doesn't make any choices on where a packet gets delivered. For packets that aren't part of an existing steam, NAT will simply not edit the packet. Unless there's a separate firewall that chooses to drop it, the packet will get delivered to whatever IP was already in the destination field, which could be the IP of one of your LAN machines.
> For packets that aren't part of an existing steam, NAT will simply not edit the packet.
A 1:1 NAT should generally just swap IP for IP and not know about streams or ports at all.
> Unless there's a separate firewall that chooses to drop it, the packet will get delivered to whatever IP was already in the destination field, which could be the IP of one of your LAN machines.
I would call that a routing rules error, even in the absence of a firewall.
1:many NAT does.
1:many NAT requires an affirmative choice on where to route incoming packets that aren't part of an existing stream.
In adaptation to that, most attacks are malware spread by email, or attack browser vulnerabilities, or attack services running on network devices, especially remote management systems.