/ip firewall filter add action=accept chain=input comment=»accept established, related, untracked» connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment=»drop invalid» connection-state=invalid
/ip firewall filter add action=accept chain=input comment=»accept normal ping from anywhere (type 8 code 0)» icmp-options=8:0 protocol=icmp

/ip firewall filter add action=drop chain=input comment=»drop first TCP packet from WAN (1/min+0 exp60 addr+dstport)» dst-limit=1/1m,0,addresses-and-dst-port/1m in-interface-list=WAN-list protocol=tcp src-address-list=!fragment-allow
/ip firewall filter add action=drop chain=input comment=»drop first UDP packet from WAN (1/min+0 exp60 addr+dstport)» dst-limit=1/1m,0,addresses-and-dst-port/1m in-interface-list=WAN-list protocol=udp src-address-list=!fragment-allow
/ip firewall filter add action=drop chain=input comment=»drop port scanners» src-address-list=portscan
/ip firewall filter add action=add-src-to-address-list address-list=portscan address-list-timeout=1w chain=input comment=»hack-detect by TCP port (FTP-SSH-TELNET,MSSQL,RDP)» dst-port=21-23,1433-1434,3389 in-interface-list=WAN-list log-prefix=»[hack-TCP]» protocol=tcp src-address-list=!bypass
/ip firewall filter add action=add-src-to-address-list address-list=portscan address-list-timeout=1w chain=input comment=»hack-detect by UDP port (DNS,SNMP,RDP)» dst-port=53,161,1434 in-interface-list=WAN-list log-prefix=»[hack-UDP]» protocol=udp src-address-list=!bypass
/ip firewall filter add action=add-src-to-address-list address-list=portscan address-list-timeout=2w chain=input comment=»PSD TCP weight weight 32 dl 120 8/4″ in-interface-list=WAN-list log=yes log-prefix=»[PSD-TCP]» protocol=tcp psd=32,2m,8,4 src-address-list=!bypass
/ip firewall filter add action=add-src-to-address-list address-list=portscan address-list-timeout=2w chain=input comment=»PSD UDP weight 48 dl 120 8/4″ in-interface-list=WAN-list log=yes log-prefix=»[PSD-UDP]» protocol=udp psd=48,2m,8,4 src-address-list=!bypass
/ip firewall filter add action=drop chain=input comment=»drop all from WAN» in-interface-list=WAN-list
/ip firewall filter add action=accept chain=forward comment=»nofasttrack forward» connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment=»drop invalid from WAN» connection-state=invalid in-interface-list=WAN-list
/ip firewall filter add action=drop chain=forward comment=»drop from WAN exept dstnat» connection-nat-state=!dstnat in-interface-list=WAN-list
/ip firewall filter add action=drop chain=forward comment=»drop first TCP packet from WAN (1/min+0 exp60 addr+dstport)» dst-limit=1/1m,0,addresses-and-dst-port/1m in-interface-list=WAN-list protocol=tcp src-address-list=!fragment-allow
/ip firewall filter add action=drop chain=forward comment=»drop first UDP packet from WAN (1/min+0 exp60 addr+dstport)» dst-limit=1/1m,0,addresses-and-dst-port/1m in-interface-list=WAN-list protocol=udp src-address-list=!fragment-allow
/ip firewall filter add action=drop chain=forward comment=»drop port scanners forward» in-interface-list=WAN-list src-address-list=portscan