If you have drop rules that simply drop packets to ports/services you do not use like ssh, ftp, telnet, winbox, etc... what is the advantage to creating a timed black list and dropping that? Is it to gain the logs and perform further action?

If you have the IP/Services turned for all those is there any purpose for those rules? The last input drop rule would work on them anyway right if they were not previously allowed in.

Thanks for any clarification.

Assume you're running http service (NATed from some internal host), open for whole internet, ssh open only from select remote addresses and winbox denied from internet. In case of blacklisting, if a potential hacker tries winbox port and you add his address to black list, he will not be able to access even http service. So this makes kind of extra security layer by protecting http service from potentially malicious user.

If you have drop rules that simply drop packets to ports/services you do not use like ssh, ftp, telnet, winbox, etc... what is the advantage to creating a timed black list and dropping that? Is it to gain the logs and perform further action?

If you have the IP/Services turned for all those is there any purpose for those rules? The last input drop rule would work on them anyway right if they were not previously allowed in.

Thanks for any clarification.

Point also is that they may probe your other ports and also make extra load on your line and router while doing so, by blocking them for certain time and add rule to drop them in raw filter prevents them from doing further attempts but also increases performance as they are droped in raw instead in regular filter.

Pre-empting the worst is probably the best summary.
If they're poking at certain ports when they shouldn't then you probably don't want them poking at anything.

If you have drop rules that simply drop packets to ports/services you do not use like ssh, ftp, telnet, winbox, etc... what is the advantage to creating a timed black list and dropping that? Is it to gain the logs and perform further action?

If you have the IP/Services turned for all those is there any purpose for those rules? The last input drop rule would work on them anyway right if they were not previously allowed in.

Thanks for any clarification.

Point also is that they may probe your other ports and also make extra load on your line and router while doing so, by blocking them for certain time and add rule to drop them in raw filter prevents them from doing further attempts but also increases performance as they are droped in raw instead in regular filter.

I don't aggree with whole of this argument. If FW is set to drop traffic which is not allowed, it doesn't prevent attackers to try other ports and thus making extra load on DL portion of internet line, regardless of where these packets are dropped (raw or filter rules). There is, however, slightly lower load on router as additional probes are dropped early in raw rules.

If some1 probes your router on unused well known ports you do not want him to be able to evaluate if an exploit is working on another used port. True - you can use blacklists for this either.

If you have drop rules that simply drop packets to ports/services you do not use like ssh, ftp, telnet, winbox, etc... what is the advantage to creating a timed black list and dropping that? Is it to gain the logs and perform further action?

If you have the IP/Services turned for all those is there any purpose for those rules? The last input drop rule would work on them anyway right if they were not previously allowed in.

Thanks for any clarification.

Point also is that they may probe your other ports and also make extra load on your line and router while doing so, by blocking them for certain time and add rule to drop them in raw filter prevents them from doing further attempts but also increases performance as they are droped in raw instead in regular filter.

I don't aggree with whole of this argument. If FW is set to drop traffic which is not allowed, it doesn't prevent attackers to try other ports and thus making extra load on DL portion of internet line, regardless of where these packets are dropped (raw or filter rules). There is, however, slightly lower load on router as additional probes are dropped early in raw rules.

Yea but to explain better what i meant, if u just drop traffic in firewall, and they find some open port like RDC, FTP, whatever.They will attempt to further attacks on that port like try brute-force RDP login for God knows how many times which will increases incoming traffic and simple firewall load.
So by early blocking port scanners or doing some other Honeypot(Like blacklist ppl who attempt to connect to winbox port) your preventing them to discovery your other ports that may be open, and with it also you prevent any other attempts on those ports which does generate extra traffic.So in general you are making your router more secure, reduce CPU load, but also it may save you some bandwidth if your IP is interesting to attackers.

Please correct me if im wrong.

Pre-empting the worst is probably the best summary.
If they're poking at certain ports when they shouldn't then you probably don't want them poking at anything.

This makes a great deal of sense to me - thanks.

Good discussion - thanks to all who responded.