accept DHCP discovery - most of the DHCP packets are not seen by an IP firewall, but some of them are, so make sure that they are accepted;
The DHCP Discovery is accepted in the IPv4 RAW table, instead of the “standard” firewall.
Similarly ICMP is in RAW table.
Why they prefer to have these rules in RAW?
Are they so popular in the network that they cause a high CPU load if these rules are in the “standard” firewall?
None!
If and when you have issues with your connectivity, one can revisit potential solutions.
Right now it seems you are looking for solutions to unknown problems.
Basic difference between raw rules and filter rules is that the former are stateless while the later are stateful. Very simple firewalls can be done effectively using stateless firewall, but more complex (and safer) firewall setups can be done much easier using stateful firewall - some things can’t be done with stateless at all, most of things can be done with stateful a lot simpler.
Note that both firewalls are used if configured (it’s not “either”, it’s “and”). Packet is first evaluated by raw rules, then connection tracking machinery (only if there are any firewall filter rules configured), and then by filter rules. Meaning that most of times using raw is simply waste of time, only in rare cases it’s sensible to use raw firewall.
It depends. Raw happens right at the beginning, so you can deal with something before any heavy processing starts. Especially if you’re going to drop something anyway, doing it in raw should be more efficient. But don’t ask about details, I don’t have any numbers to show how much.
I’m studying the RouterOS and want to know of the most efficient way that it can operate.
Also security is important as well.
Allowing DHCP and ICMP seems reasonable for proper network operation, though I’m not entirely sure which are required and in what exact circumstances.
For example, if I set proper DHCP firewall rules, then I want them to also block a DHCP spoofing attack (I mean, why not?).
I understand.
In that case, maybe the RouterOS developers should update their documentation.
As already noted, that page describing firewall raw rules is a pretry bad substitute fir something to be done.
But if you want to study ROS routing and firewalling in detail, you can start at packet flow. And other help pages. As I already mentioned: it0s much easier to create safe firewall by using stateful part of it. It’s not perfect (most IPv4/IPv6 protocols are actually stateless and connection tracking machinery fakes state for those protocols) and connection tracking machinery is very processing heavy. If one requires simple firewall rules, then it’s better to use raw rules because, as @sob already explained, typically consume less processing power. If one needs connection tracking machinery for any reason (e.g. for NAT), then it’s easier to use stateful firewall (and only use raw rules to protect connection tracking machinery from being overloaded, e.g. during DoS attacks). ROS also features a feature which makes stateful firewall very efficient: fast track (when connection gets fasttracked, packets belonging to it bypass most of packet handling). No such thing exists for raw rules.
Sure thing there are cases when raw rules are very handy … but those are really specific.
It’s also important to understand different networking protocols. For example, ICMP protocol offers and supports very different functions and ICMP echo request/reply (a.k.a. ping) is onky one of them. Blocking whole protocol indeed reduces visibility of router, but also breaks some essential functionality.
And yes, Mikrotik devs seem to prefer stateful firewall, configured in firewall filter section. Default config doesn’t have any single raw rule … Go figure. This probably adds to the fact that raw is not used very often.