A (hopefully) quick firewall question

RouterOS General
1

I asked a week ago about trying to let through some scans for PCI compliance. Someone suggested I do a catch all rule to see if it was being dropped. Since I had firewall rules up already, I just put logging on the rules I saw traffic in and low and behold I found which rule was dropping the traffic.

Below is a snippet of my firewall rules. The rule that is disabled (log prefix is drop2test) is the one that was causing the problem.
My question to you is this; Do I need this rule? I don’t want to open us up to attacks if it’s something that is helpful. It doesn’t really drop that much from what I can tell, so I’m not sure it’s all that helpful.

thanks

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix=\
    Droptest
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes \
    in-interface-list=!LAN log=yes log-prefix=drop2test
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
    established,related log-prefix=forwardtest
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=\
    !dstnat connection-state=new in-interface-list=WAN
2

add action=drop chain=input comment=“defconf: drop all not coming from LAN” disabled=yes
in-interface-list=!LAN log=yes log-prefix=drop2test

Hi, this is a perfectly legitimate default rule that basically says if the incoming traffic to the router is not from the LAN, drop it.
You will note this is usually preceeded by the allow ICMP rule because if placed after it, ICMP would also be dropped.
(not saying ICMP is required or not required that is up to the admin).

However, I despise the above rule because it surmizes that the LAN needs access to the router which is neither true or good security.
The only reason anyone needs access to the router is to administer the router and that is ONLY the authorized admins.

The other reason why devices may need access is for DNS resolving on port 53.

Thus the changes I did on my system are as follows (3 rules + 1 list)
add chain=input action=accept in-interface-list=LAN source-address-list=admin_access
Add to firewall list
add " " list=admin access (could be a subnet, range of ips, individual IPs etc…)

add chain=input action=accept port=53 protocol=tcp/udp
in-interface-list=LAN connection-state=new

Plus my standard last rule in input chain
add chain=input action=drop comment=“Drop all else”