How to deny the all access from "wan" to "lan" in forward chain ？
I have tried to deny tcp access from wan to lan by drop the packey with syn flag.
Is there any way to drop every ip access from "wan" to "lan" in forward chain ?
I have another quetion,there is a nat rule:
chain=srcnat action=masquerade src-address-list=NAT
I can telnet the ip address "lan" whitch being masqueraded of in src-address-list=NAT from "wan"?

Please state your requirement in terms of use cases vice equipment functionality or specific router settings.
In other words describe what you want users of your network to be able to do or not do.

MT default the firewall rules that come with the latest versions are 'safe' out of the box and you need do nothing to stop unsolicited wan to lan traffic. (WAN to LAN is blocked by default).
Therefore suggest you reset to defaults or post your current config here for viewing and analysis.

/export hide-sensitive file=yourconfig26jun

I can telnet the ip address "lan" whitch being masqueraded of in src-address-list=NAT from "wan"?

And after reset to defaults:
One of the most important pages for new ROS users:
https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

Telnet from WAN Take SSH with pub-key-auth.

Thanks!
The version of My MT is 5. So,it has not the characteristic of "safe".
In this envriment, the way to block unsolicited wan to lan traffic:
1. Drop the syn of TCP packet from wan
2. Drop the "echo reply" of ICMP from wan
3. Drop the "xxx" of UDP from wan ?

My requirement:
1.The network users can access internet from lan with masq
2 I can't understand the case of "telnet lan ip from wan" in envriment of all lan ip masqed.
3. .Block unsolicited wan to lan traffic.

Sorry i will not give any advice for someone using old firmware. After you have upgraded to the latest stable firmware I would be happy to help.