Hello group
In wanting to make sure to retain access VIA WinBox remotely
and wanting to secure the router from client access, to deny clients access the router VIA web-browser directly through ether1’s IP.
Would I use something like the following 
/ ip firewall filter
add chain=public-services connection-mark=http action=drop comment=“HTTP (80/TCP)”
Thanks for the help
If you have 2.9 version, use the following rule to block the Winbox data,
‘ip firewall filter add src-address=client_network_addres dst-port=8291 dst-protocol=tcp action=drop comment=drop_local_client_Winbox_traffic’ chain=input.
with some corrections 
/ ip firewall filter add chain=input src-address=client_network_addres protocol=tcp dst-port=8291 action=drop comment=“drop_local_client_Winbox_traffic”
giganet, there are some nice examples in the wiki: http://wiki.mikrotik.com/wiki/Firewall
I’m sorry for typos, I corrected my previous post.