As the first line of my firewall rules I usually place rule to drop all invalid packets. I do this as first rule of forward, input and output chains in both IPv4 and IPv6. Is this still a good idea or pointless? Right after that I accept established and related and then proceed to actual rules for each device.
I don’t thing it is “wrong” per se…
If you have a small or medium Networks,
And it helps you understand you Firewall and/or Traffic better ..
Why not…
But..
The Order and Quantity of Firewall-Rule make a big difference in Performance…
So “drop all invalid packets” isn’t necessary, if your last Firewall Rule is “drop everything”
From performance point of view one should place rules matching most packets higher. Normally “established,related” rule would match vast majority of packets.
For sure one has to observe rule order when different rules might match same packet and the rule which is supposed to be executed must be higher than the rest of rules - usually this is in case where a more specific rule has different action than a more general rule. Prime example of such case are otgerwise (almost) identical rules with different actions: accept and fasttrack.
I am not aware that output chain firewall rules were required??
Is this something unique to iPV6??
I agree the established and related should be first and it is rare I use output firewall for anything. I guess I am really wondering if drop invalid is worth while anymore? Can it inadvertently catch legitimate traffic? It likely serves no purpose or very little on input chain since on most routers I only accept certain traffic anyway. On forward chain it might serve a purpose where on IPv4 I pass most everything depending on the routers purpose.