Basic firewall

Hi,
i thought that if i configure Internet access on MK, then it creates some firewall rule to secure WAN port.
But now i found that there aren’t any rules… i had limited access to services by this way:

Flags: X - disabled, I - invalid 
 #   NAME                             PORT ADDRESS        	CERTIFICATE
 0 XI telnet                             23
 1 XI ftp                                21
 2   www                                80 192.168.28.0/24
                                           192.168.29.0/24
 3   ssh                                22 192.168.29.0/24
                                           192.168.28.0/24
 5   api                              8728 192.168.29.0/24
                                           192.168.28.0/24
 6   winbox                           8291 192.168.29.0/24
                                           192.168.28.0/24
 7   api-ssl                          8729 192.168.29.0/24 	none
                                           192.168.28.0/24

now i created few rules, but i’m not sure that they are correct:

Flags: X - disabled, I - invalid, D - dynamic 
 0     chain=forward action=accept src-address=192.168.29.0/24  log=no  log-prefix="" 
 1 XI  chain=input   action=accept connection-state=established in-interface=Ethernet1 - ISP log=no log-prefix="" 
 2 XI  chain=input   action=accept connection-state=related     in-interface=Ethernet1 - ISP log=no log-prefix="" 
 3 XI  chain=input   action=drop   in-interface=Ethernet1 - ISP log=no log-prefix="" 
 4 XI  chain=forward action=drop   log=no log-prefix=""

how can i configure a basic firewall: drop ingoing connection to WAN port, allow outgoing connection from LAN (192.168.29.0/24 and 192.168.28.0/24) ?

thank you.

The default config has default block rules. I’m assuming you started from a blank config.

Simply add a default drop for the forward and input chain, and make each the last rule in the chain.
You should be able to find many examples both in the forum and wiki.