Firewall Stealth rules help

RouterOS Beginner Basics
1

Hi,
New to Mikrotik and to this level of gear and configuration.
I found some firewall rules to stealth all ports from internet. It was from this post:
ShieldsUp Stealth All ports
The rules were:

Change the in-interface to match your bridge name.

/ip firewall filter
add action=accept chain=input connection-state=established,related comment="Accept established related"
add action=accept chain=input in-interface=bridge-LAN comment="Allow LAN access to router and Internet"
add action=drop chain=input comment="Drop all other input"
add action=accept chain=forward connection-state=established,related comment="Accept established related"
add action=accept chain=forward connection-state=new in-interface=bridge-LAN comment="Allow LAN access to router and Internet"
add action=accept chain=forward connection-nat-state=dstnat comment="Accept Port forwards"
add action=drop chain=forward comment="Drop all other forward"

What is the purpose of the last line? I found it blocked internet access for me from my VLANs. When I disabled that last rule the internet access from VLAN machines was reinstated. I also found that the ports were still stealth without that last rule. I'd like to understand whether it's really needed and how to enable VLAN internet access with it if needed.

2

I would refrain from changing the default firewall rules that are in place that are very good, UNTIL you understand what the rules are doing and you know the difference between the input chain and the forward chain.

The last rule as a drop rule is the method I prefer.
In other words, unless I explicitly state that traffic is allowed, any other traffic is dropped.

What is important is that traffic you need to config the router is setup PRIOR to invoking the drop rule in the input chain (input really means to the router).
So having a rule that allows LAN traffic to the router works.
Allowing a rule just to allow the admin access vice the entire LAN works as well.

As for the forward chain, yes, the drop rule will prevent vlan to vlan traffic as the router will attempt to route that traffic unless told to by the admin not to.
The easiest way is to say drop all vice vlana to vlanb block vlanb to vlana block and so forth for c, d, e, f , g etc…

If the admin needs access to all the vlans simply make that a one rule item.
If the users in vlan a need a shared device on vlan c simply make that a one rule item and so forth.