I have added a rule so that any who tries a port on my system that are not open, get blocked to all access for 24 hour to all ports.
Since this can block my self, I do use white list for my work, and can use port knock to add my self to white list.
Please note that this can be insufficient. There are people out on the internet who send TCP SYN packets that appear to originate e.g. from 22.214.171.124
When you have such a rule on your system, it will block 126.96.36.199 for sure.
That can be a problem when you use that for DNS. Of course only when you use it for more than "new incoming trafic from xxxx" but usually people with the mindset to use a blocklist will sooner or later decide they need to block ALL traffic from that source AS SOON AS POSSIBLE so they put it in the raw table, and then they are in trouble,