As I noted before, check out MOAB before you waste too much time, so that you can protect yourself and get on with other things LOL.
Personally I use this at the moment ( https://axiomcyber.com/shield
) but if not I would be using MOAB.
One will get lost in the cloud of suggestions methods etc, Its actually the blackhole of wasted time IMHO.........
For example I am looking at forgetting about all lists and simply trapping and blocking ALL unwanted traffic, nevermind from where.
Then leaving the freed up time to actually looking at what happens when something is behind the router and trying to get out.
Thats where the real security issue is from my viewpoint (no external access permitted so not worried about that). So catching bitcoin mining outbound or the like is what now interests me.
To catch all the traffic and to forget about all those lists out there.
Use Raw Prerouting to capture source address list for common ports I will never use on my LAN (139, 20-23 for example). This will capture the majority of probing bad guys.
Use Filter to capture source address list for common ports I DO use on my LAN, and specificy in-interface-list=WAN (53, 80 443 for example). May capture more bad guys
Use Raw to drop address sources list for 6hrs........ (bye bye to all of them for six hours).
Done......... everything that is legitimate traffic, established and related (Connection tracked) or dstnatted (see below) will work as per normal, all other traffic will be captured and dropped mostly in RAW which is less load for the CPU.
The only tricky part is if one has some destination nat setup with authorized users.
Again not a problem, ensure the NAT rule includes the authorized users for each rule specific (one rule for company A to server A, one rule for friends to server B etc.........)
In the filter rule that covers all DST NAT connections, simply add the source address list that includes all users - super source list associated with destination nat (A+B+C etc...)
If you see any holes in my thinking feel free to chime in.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)