Can this cause mikrotik rooter to freeze ? Is it the best practice to add ips when only “connection-state=new” - not like example above, because the example above will try to add ip to list on every packet right ?
You can add connection-state=new to the filter rule itself, that will narrow it down to only new connections. I’m not sure what the performance impact would be to just leave it as is, but what would happen is it would just refresh the timer every time a new packet was processed through that rule.
The other option is to have a stateful firewall in place as your first actions so that once a connection is established or related, any packets that are a part of that connection is no longer processed by the firewall any further down the chain.