Default rules with labels

/ip firewall filter
add action=accept chain=input comment=\
    "defconf 1 of 11: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf 2 of 11: drop invalid" \
    connection-state=invalid
add action=accept chain=input comment="defconf 3 of 11: accept ICMP" \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf 4 of 11: accept to local loopback (for CAPsMAN)" dst-address=\
    127.0.0.1
add action=drop chain=input comment=\
    "defconf 5 of 11: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf 6 of 11: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment=\
    "defconf 7 of 11: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=\
    "defconf 8 of 11: fasttrack" connection-state=established,related
add action=accept chain=forward comment=\
    "defconf 9 of 11: accept established,related, untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="defconf 10 of 11: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf 11 of 11: drop all from WAN not DSTNATed" connection-nat-state=\
    !dstnat connection-state=new in-interface-list=WAN