In a nutshell: the default rules on RouterOS are enough in most cases.
And this from @anav help:
https://forum.mikrotik.com/viewtopic.php?t=180838
Unless you already know that some internal equipment, for example, does not support “pings” with payloads over 1024 bytes (the so-called “Ping of Death”) and you intend to protect them,
most counterfeit TCP and UDP packets arrive like new connections, and a “drop all” at the end of each chain blocks everything.
Speaking of DDoS, they have now arrived at the router, needless to do more…
So what good are rules like these?
http://forum.mikrotik.com/t/for-isp-how-to-really-block-invalid-icmp-tcp-udp-packets-and-others-ver-2021/75627/1
they are intended for “pass-through” traffic or internal machines that must necessarily have Public IPs that cannot be filtered before, and that perhaps have an internal firewall that is worth it.
Here, in that case it might be useful to first filter all malicious packets, both inbound and outbound, and apply rules to avoid IP Spoofing both inwards and outwards.