The logic of letting parcels enter the office, and then later seeing if they are dangerous, even if there is a bomb inside,
is certainly worse than not allowing parcels to enter at all unless requested.
Or to make it simpler, it is better to immediately block the packet in RAW instead of processing it 8 times unnecessarily in all the passages to reach Firewall Filter.
Or better, how the packet is processed?
https://help.mikrotik.com/docs/display/ ... utedPacket
First pass on RAW, then Connection-Tracking, then Prerouting-Mangle, then DST-NAT, then on Routing, then TTL management, then Forward-Mangle, and finally Forward-Filter, etc.
When you block the packet on RAW, it doesn't go through any of the next 7 steps.
When you block the packet on Filter, the packet is already passed on RAW, Connection-Tracking, Mangle, DST-NAT, Routing, TTL management, again Mangle, and finally Firewall Filter.
There is no logic to block the unwanted connections at the end of this 8-pass chain, instead to block it immediately.
Yes, delete everything in the end is still valid, of course,
but if for sure some traffic is unwanted,
it is better to block it instead of unnecessarily use power, resources and time to process it.
In fact, by analyzing the blocked traffic, it is possible to deduce how to create rules in RAW that completely block unnecessary traffic, even before it is managed by the system.
An example above all, blacklists must be blocked in RAW, not in filter, otherwise the packages are processed 8 times before they arrive at the Firewall Filter (input or forward makes no difference).