Resist the urge to be that guy. There actually is a deny: it’s what your NAT system does when an incoming packet doesn’t match a connection initiated by a device behind it.

Trying to be pedantic about this isn’t adding anything to the conversation – people have been trying to make this seem like a useful distinction for decades but it’s never worked because anyone who cares about security is focused on “can an attacker initiate a connection to my system?” rather than “did I lovingly handcraft the packet filtering rule which dropped their attempt?”

> There actually is a deny

If you don't have NAT:

- the packet with your IP in dst_ip would be thrown out

If you do have NAT:

- the packet with your IP in dst_ip would be thrown out

In both cases the decision to drop the packet were carried out by the firewall and not NAT.

So puh-lease, stop.

NAT essentially has a "default deny" rule.