"Real" firewalls have a bunch more features as the build in firewall from RouterOS. But firewalling is not the core business of RouterOS. It's RouterOS and not FirewallOS. So i'm fine with that. If i want more features i use a firewall appliance or something like pfsence ... Even if it is a common feature to block by country it's not an efficient way. Most secure way is always white-listing instead of black-listing.
Agreed. I'm just making the point that it's actually a pretty basic feature, and would be relatively easy to implement in ROS if the developers chose to do so.
An IPS/IDS system is a different type of security and should always be consider as additional not instead firewalling.
Again, agreed. However, my Snort IPS is both an inline IPS and firewall. The beauty of modern firewalling products is that many of them can be implemented anywhere from layer 2 on up. My description of my home system is simplified. In reality, I have a pretty comprehensive ruleset governing the FORWARD chain which handles all my inbound/outbound filtering, and the IPS is secondary to that. Packets coming in the interfaces hit my firewall rules first, then get passed to the IPS engine. Only packets that get by both are allowed to go in or come out of my networks.
Malware is something complete different as the Bruteforce-attacks rotten777 is facing. Therefore it need to be fought differently. As you already pointed out blocking malware from calling home is difficult. One good way is to use lists ( e.g. stuff from abuse.ch ) of known C&C servers to block/detected such traffic. Most important is that you want to alert on hits on these lists and not just block. If you have a malware calling home you need to remove it from your system although it's blocked on your firewall/proxy/dns ...
And agreed, once more. Alerting is every bit as important as blocking, especially since nobody has the time to review all the logs in their entirety. I'm not sure why I posted regarding malware instead of brute-force - last week must have been longer than I thought! Some options/best practices rotten777 can look at are not exposing the management interface to the Internet, or using a firewall rule to only accept management connections from a known source. The preferable method is the former, relying on a VPN connection to provide access to the management interface. If the management interface isn't available externally, it eliminates brute-force attempts from external sources. Alternatively, if leaving the management interface available externally, a properly written rule would drop any connection attempt that wasn't coming from him. This would require a static public IP for the location from which he manages everything, but he probably already has that. If not, it shouldn't be too hard to arrange.