Ai, ja, dat is een instinker… Ik check vaak even de webinterface; daar zie je duidelijk of een regel disabled is of niet.
Hier zijn mijn regels voor de input en output chains; misschien een handid startpunt:
```
/ip firewall filter
add action=accept chain=input comment="ICMP from anywhere" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid log=yes log-prefix="IPv4 drop invalid"
add action=accept chain=input comment="SSH from local networks" dst-port=22 in-interface-list=LAN protocol=tcp src-address=192.168.0.0/16
add action=accept chain=input comment="HTTPS from local networks" dst-port=443 in-interface-list=LAN protocol=tcp src-address=192.168.0.0/16
add action=accept chain=input comment="IGMP from IPTV-WAN" in-interface-list="WAN (IPTV)" protocol=igmp
add action=accept chain=input comment="IGMP from IPTV-LAN" in-interface-list="LAN (IPTV)" protocol=igmp
add action=accept chain=input comment="UDP multicast from IPTV-WAN" dst-address=224.0.0.0/4 dst-port=1024-65535 in-interface-list="WAN (IPTV)" protocol=udp
add action=accept chain=input comment="Remaining from IPTV-LAN" in-interface-list="LAN (IPTV)" log=yes log-prefix="RRR From IPTV-WAN "
add action=accept chain=input comment="ALL from local networks" in-interface-list=LAN src-address=192.168.0.0/16 disabled=yes log=yes log-prefix="IPv4 ACCEPT-TEST from LAN"
add action=drop chain=input comment="Drop all other connections from WAN ports" in-interface-list=WAN log=yes log-prefix="IPv4 drop from WAN"
add action=drop chain=input comment="Drop all remaining packets" log=yes log-prefix="IPv4 drop remaining"
add action=accept chain=output comment="ICMP to anywhere" protocol=icmp
add action=accept chain=output comment="Established,related,untracked to LAN" connection-state=established,related,untracked out-interface-list=LAN
add action=accept chain=output comment="Established,related,untracked to WAN" connection-state=established,related,untracked out-interface-list=WAN
add action=accept chain=output comment="Syslog from lo to 127.0.0.1" dst-address=127.0.0.1 dst-port=514 out-interface=lo protocol=udp
add action=accept chain=output comment="IGMP to IPTV-WAN" out-interface-list="WAN (IPTV)" protocol=igmp
add action=accept chain=output comment="IGMP to IPTV-LAN" out-interface-list="LAN (IPTV)" protocol=igmp
add action=accept chain=output comment="DNS (UDP) to LAN" dst-port=53 out-interface-list=LAN protocol=udp
add action=accept chain=output comment="DNS (TCP) to LAN" dst-port=53 out-interface-list=LAN protocol=tcp
add action=accept chain=output comment="NTP to time server" dst-address=192.168.1.123 dst-port=123 out-interface-list=LAN protocol=udp
add action=drop chain=output comment="Drop all remaining" log=yes log-prefix="OUTPUT drop remaining"
Let op dat dit alleen maar regels zijn voor verkeer van en naar de router zelf; niet het verkeer wat erdoor wordt gerouteerd (hiervoor is de forward chain).
Mijn NTP en DNS server staan intern, dus de betreffende regels moet je aanpassen als die van jou buiten staan.
Eventueel kun je de toegang (HTTPS en SSH) nog wat beperken, bijvoorbeeld tot jouw eigen werkstation. ICMP van en naar internet kun je eventueel ook uitschakelen (de PING tool vanuit de router kun je dan niet meer gebruiken)