if this is for some reason intentionally then that is not documented, which it should be.

Packets with a source IP address 0.0.0.0 bypass the IP firewall but it can be seen (and filtered) in the Bridge firewall

When does this happen for example:
- DHCP negotiations
- MikrotTik MAC-Telnet between Winbox and the router

How can you replicate this?
Use an external DHCP. Create a rule in the output chain. Set protocol to UDP and destination port to 67. Set target to log. That should catch a DHCP solicitation. Create an DHCP client on a (non-bridged) interface. And you will see that this packets do not traverse this output chain!!

But if you create a similar rule in the bridge firewall on a bridge interface with an DHCP client then you get a hit. Same for the MAC-Telnet protocol used to connect Winbox to the Mikrotik based on the MAC address.

That is interesting because you would assume that all packets without exception would pass the input and output chain of the firewall if they origine from or are destined to the router.

I used RouterOS 6.7 I found threads describing basically the same effect already years ago.

So be aware of it and maybe you find more examples. There are always workarounds...

related to the post above: it gets even more interesting.

If you create a rule that logs packets from Winbox to the router on the INPUT chain (protocol UDP and dst port 20561) you see the log count running. If you then try to drop these packets with the same rule then you see the packet counter of this drop rule running also but the packets are not dropped!

Although you can reject these packets with the same rule in the bridge firewall.

This means that you cannot assume that all packets pass through the "IP" firewall! and even if then there might be packet configuration where the target is not executed correctly.