I am running RouterOS 6.40.5 and also in previous versions I have this strange behaviour like the rules are not always equal:
add action=accept chain=forward connection-state=established,related,new dst-port=25,53,80,443,993 log=yes log-prefix=catch protocol=tcp
add action=passthrough chain=forward log=yes log-prefix=Escaped
add action=drop chain=forward dst-port=993 log=yes log-prefix="dropped Escaped" protocol=tcp
Only the second and third line are triggered. These packet seems to be necessary because if dropped my e-mail client is not getting any connection.
Traffic:
Nov/20/2017 21:49:14 firewall,info Escaped forward: in:2-uplink-master out:2-uplink-master, src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK,PSH), 192.168.xxx.xxx:49770->192.168.xxx.yyy:993, len 557
Nov/20/2017 21:49:14 firewall,info dropped Escaped forward: in:2-uplink-master out:2-uplink-master, src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK,PSH), 192.168.xxx.xxx:49770->192.168.xxx.yyy:993, len 557
Nov/20/2017 21:49:14 firewall,info Escaped forward: in:2-uplink-master out:2-uplink-master, src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK,PSH), 192.168.xxx.xxx:49768->192.168.xxx.yyy:993, len 557
Nov/20/2017 21:49:14 firewall,info dropped Escaped forward: in:2-uplink-master out:2-uplink-master, src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK,PSH), 192.168.xxx.xxx:49768->192.168.xxx.yyy:993, len 557
Nov/20/2017 21:49:14 firewall,info Escaped forward: in:2-uplink-master out:2-uplink-master, src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK,PSH), 192.168.xxx.xxx:49769->192.168.21.42:993, len 557
Nov/20/2017 21:49:14 firewall,info dropped Escaped forward: in:2-uplink-master out:2-uplink-master, src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK,PSH), 192.168.xxx.xxx:49769->192.168.21.42:993, len 557