Firewall block SIP

Hello, I created some Firewall rules because I noticed that in the CONNECTIONS there are many public IPs pointing to port 5060 and 5061. Once the rule is executed, however, you notice that in the connections the IPs continue to connect and are not dropped.

Here are the rules I created:

add action=add-src-to-address-list address-list=sip_attack address-list-timeout=3h chain=input dst-port=5060 protocol=udp src-address-list=!accesso_consentito
add action=add-src-to-address-list address-list=sip_attack address-list-timeout=3h chain=input dst-port=5060 protocol=tcp src-address-list=!accesso_consentito
add action=add-src-to-address-list address-list=sip_attack address-list-timeout=3h chain=input dst-port=5061 protocol=udp src-address-list=!accesso_consentito
add action=add-src-to-address-list address-list=sip_attack address-list-timeout=3h chain=input dst-port=5061 protocol=tcp src-address-list=!accesso_consentito
add action=drop chain=input src-address-list=sip_attack

Where am I wrong?

input is the chain to the CPU, forward is the chain for the NATted or routed devices…

So do I have to move these rules from “Input” to “Forward”?

Yes, if the IP under attack is not the RouterBOARD IP…
And if hardware offload is active between bridge ports, you can not intercept that until you do not also active firewall for bridge,
but that drop prestations.

Is better you do not make visible from outside, the VoIP port open, directly inside the clients…

But if to be safer I go to “Firewall> Service Port” and disable SIP, internal LAN clients such as VoIP phones that still connect to the VoIP server or not because I have disabled the option, I don’t understand this thing.

If the internal devices have private IP, no matter,
I write about internal devices with public IP…

Perfect, thank you!

Have a nice day,
Ciao