I have spent some time putting together a firewall to use on two RouterBoards. Each one will have different access lists but will function the same. I have provided below what I have. I do believe the order of the rules below could be wrong. I have not tested these rules.
I would like to ask the community to review these and provided any feedback you may have. I am open to any suggestions.
/ip firewall filter
add chain=input in-interface=ether1 src-address-list=rfc-1918 action=drop comment="Drop leaked public RFC 1918"
add chain=input in-interface=ether1 action=jump jump-target=public-services comment="Jump to Public Services Chain"
add chain=input in-interface=ether1 src-address-list=remote-networks action=accept comment="Allow remote networks"
add chain=input in-interface=ether1 protocol=icmp action=accept comment="Allow ICMP"
add chain=input in-interface=ether1 protocol=tcp dst-port=53 action=drop comment="Drop public DNS requests"
add chain=input in-interface=ether1 protocol=udp dst-port=53 action=drop
add chain=input in-interface=ether1 protocol=tcp psd=21,3s,3,1 action=drop comment="Drop port scan attempts" disabled=no
add chain=input in-interface=ether1 protocol=tcp connection-limit=3,32 src-address-list=dos_blacklist action=tarpit comment="Suppress DoS attack" disabled=no
add chain=input in-interface=ether1 protocol=tcp connection-limit=10,32 action= add-src-to-address-list address-list=dos_blacklist address-list-timeout=1d comment="Detect DoS attack" disabled=no
add chain=input in-interface=ether1 protocol=tcp dst-port=22 src-address-list=ssh_blacklist ction=drop comment="Drop blacklisted SSH connection attempts" disabled=no
add chain=input in-interface=ether1 protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_attempt_3 action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=2w comment="SSH connection attempt 3" disabled=no
add chain=input in-interface=ether1 protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_attempt_2 action=add-src-to-address-list address-list=ssh_attempt_3 address-list-timeout=1m comment="SSH connection attempt 2" disabled=no
add chain=input in-interface=ether1 protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_attempt_1 action=add-src-to-address-list address-list=ssh_attempt_2 address-list-timeout=1m comment="SSH connection attempt 1" disabled=no
add chain=input in-interface=ether1 protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list address-list=ssh_attempt_1 address-list-timeout=1m comment="SSH connection attempt made" disabled=no
add chain=input connection-state=established action=accept comment="Allow established connections"
add chain=input connection-state=related action=accept comment="Allow related connections"
add chain=input connection-state=invalid action=drop comment="Drop invalid connections"
add chain=input in-interface=!ether1 src-address-list=trusted-networks action=accept comment="Allow private trusted networks"
add chain=input action=drop comment="Drop everything else"
add chain=public-services in-interface=ether1 protocol=udp dst-port=20561 action=accept comment="Allow MAC Winbox " disabled=yes
add chain=public-services in-interface=ether1 protocol=tcp dst-port=8291 action=accept comment="Allow Winbox" disabled=no
add chain=public-services in-interface=ether1 protocol=udp dst-port=5678 action=accept comment=" MT Discovery Protocol" disabled=yes
add chain=public-services in-interface=ether1 protocol=tcp dst-port=22 action=accept comment="Allow SSH" disabled=yes
add chain=public-services in-interface=ether1 protocol=tcp dst-port=2000 action=accept comment="Bandwidth server" disabled=yes
add chain=public-services in-interface=ether1 protocol=tcp dst-port=8080 action=accept comment="Allow Web Proxy" disabled=yes
add chain=public-services in-interface=ether1 protocol=udp dst-port=1701 action=accept comment="Allow L2TP Connections" disabled=no
add chain=public-services in-interface=ether1 protocol=tcp dst-port=179 action=accept comment="Allow BGP" disabled=yes
add chain=public-services in-interface=ether1 protocol=gre action=accept comment="Allow PPTP and EoIP" disabled=yes
add chain=public-services in-interface=ether1 protocol=ipencap action=accept comment="Allow IPIP" disabled=yes
add chain=public-services in-interface=ether1 protocol=udp dst-port=500 action=accept comment="Allow IPSec connections" disabled=yes
add chain=public-services in-interface=ether1 protocol=ipsec-esp action=accept comment="Allow IPSec ESP" disabled=yes
add chain=public-services in-interface=ether1 protocol=ipsec-ah action=accept comment="Allow IPSec AH" disabled=yes
add chain=public-services in-interface=ether1 action=return comment="" disabled=no
add chain=forward connection-state=invalid action=drop comment="Drop invalid connections"
add chain=forward connection-state=established action=accept comment="Allow established connections"
add chain=forward connection-state=related action=accept comment="Allow related connections"
add chain=forward connection-state=new out-interface=ether1 action=accept comment="Allow outbound LAN traffic"
add chain=forward src-address=0.0.0.0/8 action=drop comment="Drop BOGON"
add chain=forward dst-address=0.0.0.0/8 action=drop
add chain=forward src-address=127.0.0.0/8 action=drop
add chain=forward dst-address=127.0.0.0/8 action=drop
add chain=forward src-address=224.0.0.0/3 action=drop
add chain=forward dst-address=224.0.0.0/3 action=drop
add chain=forward protocol=tcp action=jump jump-target=tcp comment="Jump chains"
add chain=forward protocol=udp action=jump jump-target=udp
add chain=forward protocol=icmp action=jump jump-target=icmp
add chain=tcp protocol=tcp dst-port=69 action=drop comment="Deny TFTP"
add chain=tcp protocol=tcp dst-port=111,135 action=drop comment="Deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=137-139 action=drop comment="Deny NBT"
add chain=tcp protocol=tcp dst-port=445 action=drop comment="Deny cifs"
add chain=tcp protocol=tcp dst-port=2049 action=drop comment="Deny NFS"
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="Deny NetBus"
add chain=tcp protocol=tcp dst-port=20034 action=drop comment="Deny NetBus"
add chain=tcp protocol=tcp dst-port=3133 action=drop comment="Deny BackOriffice"
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="Deny DHCP"
add chain=udp protocol=udp dst-port=69 action=drop comment="Deny TFTP"
add chain=udp protocol=udp dst-port=111,134 action=drop comment="Deny RPC portmapper"
add chain=udp protocol=udp dst-port=137-139 action=drop comment="Deny NBT"
add chain=udp protocol=udp dst-port=2049 action=drop comment="Deny NFS"
add chain=udp protocol=udp dst-port=3133 action=drop comment="Deny BackOriffice"
add chain=icmp protocol=icmp icmp-options=0:0 action=accept comment="Echo reply"
add chain=icmp protocol=icmp icmp-options=3:0 action=accept comment="Net unreachable"
add chain=icmp protocol=icmp icmp-options=3:1 action=accept comment="Host unreachable"
add chain=icmp protocol=icmp icmp-options=3:4 action=accept comment="Host unreachable fragmentation required"
add chain=icmp protocol=icmp icmp-options=4:0 action=accept comment="Host source quench"
add chain=icmp protocol=icmp icmp-options=8:0 action=accept comment="Host echo request"
add chain=icmp protocol=icmp icmp-options=11:0 action=accept comment="Host time exceed"
add chain=icmp protocol=icmp icmp-options=12:0 action=accept comment="Host parameter bad"
add chain=icmp action=drop comment="Deny all other types"