/ip firewall { filter add chain=inp

1. /ip firewall {
2. filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
3. filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
4. filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
5. filter add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
6. filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
7. filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
8. filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
9. filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
10. filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
11. filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
12. filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
13. }
14.