Your thought about my basic firewall rules

Hi, I just want to know your thought about my firewall rules, just to be sure I'm doing well or there's something I might improve. It's about my home router, a hEX POE with sfp port for WAN and all the eth ports bridged together in "LAN Bridge"

Thanks in advance.

Notes:

• the address list "blacklist" is the list of IPs blocked with the brute force login prevent rules
• the address list "allowed_to_router" it's my lan and VPN network
• the address list "bogon" is the list of IPs or network blocks that shouldn't exist on the Internet

Here the firewall rules:

/ip firewall filter
add action=drop chain=input comment="Block Blacklist addresses IPs" src-address-list=\
    blacklist
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=fasttrack-connection chain=forward comment="Fasttrack" connection-state=\
    established,related hw-offload=yes
add action=accept chain=input comment="Accept established,related,untracked" \
    connection-state=established,related,untracked
add action=accept chain=input comment="Accept input connections from LAN" in-interface=\
    "LAN Bridge"
add action=jump chain=input comment="Brute force login prevent" dst-port=21-23,1723 \
    jump-target="Brute force login prevent" protocol=tcp
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow SSTP connections" dst-port=443 protocol=tcp
add action=accept chain=input comment="Allow L2TP/IPsec connections" disabled=yes dst-port=\
    1701,500,4500 protocol=udp
add action=accept chain=input comment="Allow Mikrotik Discovery" dst-port=5678 protocol=udp \
    src-address-list=allowed_to_router
add action=accept chain=input comment="Allow Winbox connections" dst-port=8291 protocol=tcp
add action=accept chain=input comment="Allow SNMP connections" dst-port=161 protocol=udp
add action=accept chain=input comment="Allow Mikrotik Web interface" dst-port=80 protocol=\
    tcp src-address-list=allowed_to_router
add action=accept chain=input comment="Allow Mikrotik API" dst-port=8728,8729 protocol=tcp
add action=drop chain=input comment="Drop all not coming from LAN" log-prefix=DROP \
    src-address-list=!allowed_to_router
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=bogons log=yes \
    log-prefix=BOGONS
add action=accept chain=forward comment="Accept established,related, untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=drop chain=forward comment="Drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface="sfp1 - WAN"
add action=add-src-to-address-list address-list=blacklist address-list-timeout=none-static \
    chain="Brute force login prevent" comment="Block login error 3rd Attemp" \
    connection-state=new dst-port=21-23,1723 log=yes protocol=tcp src-address-list=\
    login_attemp_stage2
add action=add-src-to-address-list address-list=login_attemp_stage2 address-list-timeout=5m \
    chain="Brute force login prevent" comment="Log login error 2st Attemp" connection-state=\
    new dst-port=21-23,1723 protocol=tcp src-address-list=login_attemp_stage1
add action=add-src-to-address-list address-list=login_attemp_stage1 address-list-timeout=5m \
    chain="Brute force login prevent" comment="Log login error 1st Attemp" connection-state=\
    new dst-port=21-23,1723 protocol=tcp src-address-list=!login_attemp_stage2
add action=accept chain="Brute force login prevent" comment="Accept 21-23 TCP connections" \
    dst-port=21-23,1723 protocol=tcp

Haven't checked it all...allowing Winbox publically for me is a fail.

I would recommend taking this description as an example - config

I'm sorry, but advice is needed BEFORE causing any damage.

It should all be thrown away.

CLEARLY you don't know what you're doing, SO you better reset the defaults or we'll soon have another machine in the botnet, if it isn't already finished...

Man, calm down and be kind please. I'm sorry if I'm not as expert as you, but I've just asked for help.

Expose winbox over internet is not good, ok, got it. I will remove the rules and I will use winbox outside my lan only over a ovpn with certificate. Ok?

You asked for help and you got a response.
What's the added benefit to sugar coat it ?

Start from default firewall and only change/add when you know why and what the consequences are.

Default rules are default for a pretty good reason.
They work.

@simogere
This isn't a call center, nor is it official support.
So our primary concern isn't being nice to customers
(sometimes some companies' support is so good they make fun of them),
but rather ensuring that more bots aren't created that jeopardize the functioning of the internet.

question asked and answered:
Hi, I just want to know your thought about my firewall rules

The question was not:

Hi, I just want to know your thought about my firewall rules, but I have thin skin so please be very woke in your response. LOL.

Keep in mind the response was made to try to ensure you understood the gravity of exposing your router to the internet with the settings you had. Sure, there is also frustration because you changed very safe default settings with not knowledge at all, and then asked questions after the fact. So it imparts us with either a sense of arrogance or recklessness. Don’t take it personally, we have all been there, or at least the ones who care to admit it!!