Firewall tips for ISP/WISP with public addresses

Hello

All of our clients get public IPs.

Blocking port 137,138,139 and 445 was done early on, protecting clients with windows and no firewall.

We are seeing a lot of attacks on our networks from external botnets etc.
Lately we had a lot of ICMP ttl expired attacks, so we had to rate limit these packages.

But I still see a lot of “dirty” traffic.

What sort of firewall rules have you set up for your networks?

If you can define “Dirty” you can make ACL rules out of what you see as Dirty.

Yes, but it`s not quite that easy, as some of same traffic is useful.
What one wants is as open as possible, and as safe for clients as possible…

Just trying to find out what other ISPs with similar setup set in their firewalls/acl, and adapt good policy’s.
I guess most ISPs face similar challenges when it comes to this.