Hello,
i am making myself familiar with Mikrotik these days. Coming from a Netgate/pfSense background, it took me some time to get used to it but a little bit of knowledge
about IPTables and the book RouterOS by example SE from Stephen R.W. Discher made things easier for me.
Still, there are a few things i have a hard time to understand, so maybe you can help me out a little bit.
In the Mikrotik firewall setup guide one of the rule examples in the forward chain is to drop "invalid" packets, so packets that don`t have an entry in the conntrack table, right?
But why do i have to drop invalid packets if i do that implicitly by using a drop (ALL) for the INPUT and FORWARD chain anyways? Is there a specific reason behind it?
Same with bogon IPs. Mikrotik recommends in their guide, to drop packets on WAN coming from non-public IPv4 adress spaces.
That makes sense of course but from my experience, this is only really necessary if you need access from WAN to ports on the router itself (INPUT chain) or to one of your internal hosts (FORWARDING chain) If you don`t forward anything at all, then there is no need to explicitly drop bogon IP spaces, correct?
Thank you :)