A rule without context is not much help.
Questions - "Which FW rule permits 'services'" and "Could someone explain to me where is the corresponding INPUT rule for the 'services' to be accepted by the firewall?"
Answer - "/ip firewall filter add action=drop chain=input comment="Input drop all not coming from LAN" in-interface-list=!LAN"
To answer the question more clearly, that rule is one of the few rules that has a blocking nature in the input chain (traffic to or from the router).
Correct in that its a default rule to safely allow the new admin the ability to access and configure the router and all users to have access to all the services that are provided by the router.
However it is weak in terms of firewall rules overall because it blocs WAN to router, but allows ALL LAN to router and clearly we dont need to have every user have full access to the router.
We should only give the admin full access tot he router and the rest of the users only need access to the services.
Hence
add action=drop chain=input comment="Input drop all not coming from LAN" in-interface-list=!LAN"
Becomes:
add action=accept chain=input source-address-list=adminaccess (
only admin can access router for config purposes)
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \ (
services for all users)
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="drop all else" (drop all other traffic)
note: adminaccess is done in firewall address lists... and uses statically assigned DHCP leases.
add IPof admin desktop list=adminaccess
add IPof admin laptop list=adminaccess
add IPof admin ipad list=adminaccess
add IPof admin smartphone list=adminaccess
So to reiterate.
Rextended is bang on, much better to have drop all else rules at the end of the input chain (and forward chain) because is cleaner/efficient and if there is something that should be blocked we dont know about, the rules do that for us for the most part.
Emil66 is also bang on, one has to be careful when placing the drop all rule in the input chain because if done before you have a proper access rule for the Admin in place and firewall address list if using one, then you will be locked out of the router and will have to reset it from scratch.