Hello for all engineers and experts in this mikrotik forum..!
In mikrotik router-v7.4beta4 default configuration.
In IP-firmware i found this rule
Chain:forward
In interface list:WAN
Connection state: new
Connection Nat state: not dstnat
Action:drop
So Anyone can explain to me what this rule mean or what is the benefit of such a rule..?

Prevents NAT bypass. But you can remove the rule and drop anything in the raw table destined towards RFC6890 subnets directly.

Firewall rules must be seen in a complex as their mutual position is important. This particular rule serves aggregates functionality of multiple separate rules. The basic one is the "default drop" role, meaning that all packets that have not been matched by any previous rule in the same chain will be dropped. But instead of placing separate rules action=accept connection-nat-state=dstnat and action=accept in-interface-list=!WAN before the "default drop" one, match conditions connection-nat-state=!dstnat in-interface-list=WAN (i.e. inverted ones) have been added to the "default drop" one, exempting packets matching any of these (direct, not inverted) conditions from matching it.

The purpose of exempting packets not coming from WAN from getting dropped is clear - in a typical application, you want your LAN clients to be able to connect anywhere in the internet.

The purpose of exempting packets that have been dst-nated from getting dropped is to simplify the firewall - if you want to add some restrictive conditions on the source addresses and/or ports, you add them directly to the action=dst-nat rule(s) in /ip firewall nat, so packets not matching those conditions will not get dst-nated, and hence they will match the connection-nat-state=!dstnat condition in the "default drop" rule and get dropped.

It is probably also important to say that in the default firewall, the "default drop" rule only handles the initial packet of each connection; mid-connection packets are accepted by the first rule, action=accept connection-state=established,related,untracked.

My two cents.
The use of ! is tricky and should be avoided by new users as its a powerful tool (using a chainsaw when a butter knife is needed).
Being cool is not a reason to use it.

thus the typical default rule (which is setup to be safe along with other rules..........as sindy pointed, looking at firewall rules in isolation is a fools game) is attempting to be cute and do two things.
Before proceeding one should note that the default rule set is designed to allow all traffic except for what the admin blocks hence......

add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN

Which basically states.
a. for any new connections (redundant not required)
b. coming in on the WAN interface (limits any dst-nat that may be required on the LAN side - when folks are to use public IP of a router to access a server)
c. drop all traffic that is not dst-natted.

Much better is the following
Clear simple rule allowing dstnat
add chain=forward action=accept connection-nat-state=dstnat

Followed by a better security drop rule. That stops ALL other traffic not matched above, both WAN and LAN
add chain=forward action=drop comment="drop all else"

Note this in effect changes the design of the forward chain rule to one that blocks ALL traffic automatically unless specifically allowed by the admin above the drop rule.
For example you will need to add an internet access rule, as it was allowed before without you really knowing it.
add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN

Very thanksful for all i appreciate every single word here..?

My two cents.
The use of ! is tricky and should be avoided by new users as its a powerful tool (using a chainsaw when a butter knife is needed).
Being cool is not a reason to use it.

Do not want to upset higher powers. The 3 rules are indeed clear & logical, but that is 3 lines of code.
Was the recommended one-liner default "incorrect" for years? Or rather it is just a different way of doing (almost) the same? (as one often can do where computers are involved)

The "one-liner" is indeed just a different way of doing the same which, compared to the "three-rule" way, is a tiny bit more efficient both typing/clicking-wise and CPU-wise but may also be a tiny bit less comprehensible for newbies.

My personal view is that anyone who cannot understand the use of a "not equal to" operator should stay away from modifying firewall rules, but I admit that a single exclamation mark is easy to miss if your vision is not perfect

Word up, don't irritiate a sick person, I resemble that ! comment. Its a useful tool WHEN NEEDED. Otherwise, why try to be overly cute.

The default rule allows one to connect to the internet right away and do most functions.
Once one adds rules, its cleaner and clearer to remove the rule and replace with the three.
Finally, the three line approach is also better security as it blocks any unwanted LAN to LAN traffic which the combo rule did not.
and it makes it obvious that there is traffic from LAN to WAN and thus may prod the user into shutting some of that traffic down.

So in summary, I think the advice above blows........... like windy

!sure negation is particularly hard in context of rules. It connection tracking "established" part that make things trickier to understand than !.

Keep in mind, QuickSet and Mobile Apps have UI for "Port Forwarding": which just add a dst-nat rule, but this only work because of the !dst-nat rule.

More generally parts of the default firewall that ship on routers is design around other UI/config features that add dynamic things to the firewall. While the "First Firewall" in docs shows a more "pure" IP-focused firewall with none of the weird tricks the default one uses.

But it is a bit of a catch-22.... since likely best to modify the default firewall, than replace it with docs's "first firewall"... The problem is the default firewall requires knowing more about firewall rules since it optimized.

Well for an advanced user fill yer boots with ! rules.
For the beginner it would be far clearer if MT used the three rules as default instead.
It demonstrates a LAN to WAN firewall rule
It demonstrates an ability to conduct port fowarding ( disabled by default would be my preference )
It demonstrates the power of a the last drop all rule.............. everything else not permitted will be dropped.

Lets be honest most beginners look at that rule and dont have a sweet clue what it does.

Lets be honest most beginners look at that rule and dont have a sweet clue what it does.

Perhaps. Or the rules added BTH or PPPoE's MSS, etc. adjustment for that matter.

More saying the default config is not meant to be an example. Three rules likely use more CPU than one. And Mikrotik generally prioritized efficiency over readability & more rules makes things even harder for automation to deal with firewall.

Well for an advanced user fill yer boots with ! rules.

Well, if beginners enabled uPnP (or NAT-PMP recently) that !dst-nat rule is what makes it work.

I guess "newbies" should only need to add lines (either accept or drop) and leave the rest alone if they don't understand. Agrueably, three rules are just more chances for the order to get mess up too.

Also even if changed... still have configs based on the "one-rule" and some based "three-rule", since often the defaults persist from when version first installed.

Interesting, but who uses UPNP,,,,,,, I mean do games actually still require that?? I do everything off steam, nothing fancy required, just works.

Interesting, but who uses UPNP,,,,,,, I mean do games actually still require that?? I do everything off steam, nothing fancy required, just works.

Camera systems and VoIP use uPnP a fair bit.

More pointing out RouterOS does have some feature that modify the firewall dynamically... and that where more rules just isn't helpful since RouterOS can look for the complex "one rule" vs finding the group of three rules.

Basically step climb to convince Mikrotik to change this, since it more work for the dynamic things (now or in future) & less efficient.