Hi Guys,
I have been reading up a lot on RouterOS but I still can't figure out what exactly the below rules are for.
It seems like this is found in almost every security 'guide' that I have read and the router still works with or without it.
- What determines a connection as 'invalid' ?
- So what if the connection is established? Without this rule, it seems like connections to the firewall are still possible..
Can someone enlighten me on this?
Thank you all! 
Protect your RouterOs router
/ ip firewall filter
add chain=input connection-state=invalid action=drop
comment="Drop Invalid connections"
add chain=input connection-state=established action=accept
comment="Allow Established connections"
add chain=input protocol=udp action=accept \
This is not related to RouterOS but to TCP basics. You can search google for “tcp connection states”, and see a diagram here; http://www.cs.northwestern.edu/~agupta/cs340/project2/TCPIP_State_Transition_Diagram.pdf
Invalid packets don’t belong to an existing connection, and are also not opening a new connection with the standard method.
Established means it belongs to an existing connection, so they are already known, and don’t need to be inspected.
Those 3 rules only affect traffic destined for the router itself - they are on the input chain.
The first rule drops invalid connections though it is usually preferable to simply have a rule dropping all traffic which has not been explicitly accepted.
The second rule accepts traffic for an existing valid connection. So if (say) the router does a DNS lookup it will be able to receive the reply.
The third rule is accepting all UDP traffic into the router - may well be inappropriate.
Not that these three rules only affect traffic destined for the router. The forward chain and DST/SRC NAT rules are more closely linked to the firewall functionality.