/ip firewall filter
add action=accept chain=input comment=\
"defconf 1 of 11: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf 2 of 11: drop invalid" \
connection-state=invalid
add action=accept chain=input comment="defconf 3 of 11: accept ICMP" \
protocol=icmp
add action=accept chain=input comment=\
"defconf 4 of 11: accept to local loopback (for CAPsMAN)" dst-address=\
127.0.0.1
add action=drop chain=input comment=\
"defconf 5 of 11: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
"defconf 6 of 11: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment=\
"defconf 7 of 11: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=\
"defconf 8 of 11: fasttrack" connection-state=established,related
add action=accept chain=forward comment=\
"defconf 9 of 11: accept established,related, untracked" \
connection-state=established,related,untracked
add action=drop chain=forward comment="defconf 10 of 11: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf 11 of 11: drop all from WAN not DSTNATed" connection-nat-state=\
!dstnat connection-state=new in-interface-list=WAN
