Sun Jul 03, 2022 12:33 pm
Firewall rules must be seen in a complex as their mutual position is important. This particular rule serves aggregates functionality of multiple separate rules. The basic one is the "default drop" role, meaning that all packets that have not been matched by any previous rule in the same chain will be dropped. But instead of placing separate rules action=accept connection-nat-state=dstnat and action=accept in-interface-list=!WAN before the "default drop" one, match conditions connection-nat-state=!dstnat in-interface-list=WAN (i.e. inverted ones) have been added to the "default drop" one, exempting packets matching any of these (direct, not inverted) conditions from matching it.
The purpose of exempting packets not coming from WAN from getting dropped is clear - in a typical application, you want your LAN clients to be able to connect anywhere in the internet.
The purpose of exempting packets that have been dst-nated from getting dropped is to simplify the firewall - if you want to add some restrictive conditions on the source addresses and/or ports, you add them directly to the action=dst-nat rule(s) in /ip firewall nat, so packets not matching those conditions will not get dst-nated, and hence they will match the connection-nat-state=!dstnat condition in the "default drop" rule and get dropped.
It is probably also important to say that in the default firewall, the "default drop" rule only handles the initial packet of each connection; mid-connection packets are accepted by the first rule, action=accept connection-state=established,related,untracked.