Yes this is an option but as attacked use fake IP addresses that will make you to deny connection so some servers that you really need!
When you are using also IKEv2 connection then those can be made notrack
in RAW and so are caught by the rule (UDP 4500). To avoid that the box by untracked has to be ticked too.
add action=drop chain=input comment="Block all that is not statefull, related or notrack" connection-state=!established,related in-interface-list=WAN log=yes log-prefix=filterdrop
I block all traffic coming in through the WAN. Traffic like TCP 25/80/443 is still welcome but I have a route
in Mangle for that so that then being tracked. That traffic is checked already in RAW on this router before rooted to the next router.