A different variation is the final rule which drops all new relationship attempts from the WAN port to our LAN community (Except DstNat is applied). Without having this rule, if an attacker is aware or guesses your local subnet, he/she will be able to establish connections straight to local hosts https://wbofficial.com