The exclamation mark indicates ‘not’ so in your example, not ether1
Protocol 6 stands for TCP
I’m getting an way too many logs of 443 (HTTPS) logs in my “log everything else” (false positives)
I bet its just reflexive(aka established) connections and the firewall is not grouping them into the filter #14 (accept established) since its 443 and its accidentally overlooking this.
How can I fix this? thanks
Here is my log and my filters:
I guess you are wrong in the chain assignment.
The rule you highlighted is on the input chain, traffic destined for the router itself.
Are these all your rules or are there more.
For easy reading I advise to group them per chain, so it is clear in one view what rules will be applied to which packet.
I actually prefer what is provided in the book “RouterOS by Example”:it has the usual dropping invalid and accepting input from trusted networks then it accepts established, then only accepts NEW forwards from the trusted network, then related forwards then established forwards, finally dropping all other inputs and forwards. This works perfectly. From this I also add in accepted ports for services I want accessible to the world while listing and banning those that make repeated blocked attempts as a means to protect those open ports.
The default firewall rules as set up by the quickset option probably works the same as above but only using the input chain (as per v6.19): first rule is to blindly accept all ICMP, then accept established, then related, rules for vpn go here if enabled, then drop everything on the wan interface.
…
to directly answer this and to add to the answer already provided, you have to realise that there are multiple ways that data is handled by the router. Yes, the rules are from top down but you might have a few input rules at the top, followed by a deny all input rule, followed by your rules for the forwarded data, followed by say a chain created for icmp that’s jumped to prior to the drop all.
Also, muchas gracias for the log option on rules now 
MadEngineer, do you have an example of this firewall? a link to the writeup?
I understood the timing.
I like my new firewall, but I’m definately missing something!
anyone know what PeerBlock is?
I would love it if I could implement something like that into a hardware appliance (like a switch or router or ASA)
(allows or denies host IPs based on community defined hosts lists of bad or good hosts)
If you can’t work it out from my post, buy the book