Just an aside. I use MiniUPNP/MiniSSDP on my linux firewall and my PS4 can establish peer-to-peer sessions with other PS4(s) on arbitrary ports. (This is necessary for joining nontrivial voice channel "parties" on playstation network.) Without this sort of intervention and management the scheme of just asserting packets at each other is unreliable and may not scale at all. After all, if two clients on one segment both get port X locally, they cannot share port X in the NAT, so one client (the first one) can start getting the packets intended for the other (second) client. So the old-style "best shot" traversal isn't really something the theoretical purest, or a real business, would want to support. As for DROP versus REJECT :: Using REJECT in most firewall rules is considered harmful as it generates return traffic. In the case of casual misuse of services that's fine, but in terms of overally internet citizenship it's bad. If I send you a well crafted packet with my enemy's IP address as the source address, your system's REJECT events will generate traffic towards my target. This reflection of traffic lets me use your host (among many) to DDOS a third party. Having a reflection like this on your host can actually attract bad actors to your firewall as you may eventually be found by a bot net and used for this sort of attack with some frequency.
