These are the default firewall rules on SOHO Mikrotik devices. They are sufficient for all basic purposes:
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
You can disable the ICMP and IPSEC rules, especially ICMP if the device's WAN is on the Internet.
@anav, it is relatively easy to tell where a rule should be placed by default. Rules are processed top-down, so unless you are setting up an exception for another rule further down (or some other dependency between rules), the default order should always be whichever rule matches the most packets is listed before others. This minimizes time spent by the CPU in the slow firewall stage and therefore decreases the load on the CPU. So, for almost any configuration or context, established connections should be far greater than invalid packets, making established a higher priority.