Hi,
I’m using Mikrotik router as a firewall since ~2 years, using the rules from the wiki.
Now I’m configuring a new router and would like to reduce my Firewall rules.
However, I’m not sure if I reduce too much 
what I need:
remote access over winbox from only one static IP (support)
access over winbox from interface 7
basic protection of my clients, I’m using client isolation for the wifi
later i would like to add an roadwarrior ipsec
my input chain is now:
add action=accept chain=input comment="allow external support" in-interface=combo1_WAN src-address-list=support
add action=accept chain=input comment="allow support over ethernet 7" in-interface=ether7_service
add action=drop chain=input comment="drop everything else"
->only my external ip and interface 7 is allowed to reach the firewall
my forward chain:
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward connection-state=new out-interface=combo1_WAN
add action=drop chain=forward connection-state="" in-interface=combo1_WAN
->only established or related packets are allowed from WAN, all outgoing packets are allowed
as far as I understand those rules should be enough, am I right?
If I compare it to the wiki, some things are missing:
->block bogons input and forward, only needed if i configure the ipsec?
->first rule block invalid input/forward ->is there any advantage to put that as first rule? it also gets blocked from my last one and the firewall only knows if its invalid if its not new/established or related so there also shouldn’t be an performance advantage to use it as first rule
only if I add also the tcp and udp client protection it could help the performance to drop invalid first, but the clients are all isolated in the wifi, so no need to protect them local any further.
I now those are basic rules, but I’m not so sure to reduce the rules from the wiki…
Looking forward to get some feedback 
BR
