These are the rules that I am using. You should review them and make any changes to suit you own network layout.
Static Filters
Reject inbound with these source addresses
These three items will prevent any packets covered by RFC1918. Applied to the the PP (wan) interface
ip filter 1000 reject 10.0.0.0/8 * * * *
ip filter 1001 reject 172.16.0.0/12 * * * *
ip filter 1002 reject 192.168.0.0/16 * * * *
Reject outbound with these destination addresses
ip filter 1010 reject * 10.0.0.0/8 * * *
ip filter 1011 reject * 172.16.0.0/12 * * *
ip filter 1012 reject * 192.168.0.0/16 * * *
Block telnet and ssh from outside
These two rules could be applied to the PP interface again on the inbound direction
ip filter 1013 reject * * tcp * telnet
ip filter 1014 reject * * tcp * 22
Protect ports
These are some standard ports which are known to create network security issues. There are probably more. These rules should be applied to the PP interface with direction in. They could also be applied to the same interface with direction out
ip filter 1020 reject * * udp,tcp 135 *
ip filter 1021 reject * * udp,tcp * 135
ip filter 1022 reject * * udp,tcp netbios_ns-netbios_ssn *
ip filter 1023 reject * * udp,tcp * netbios_ns-netbios_ssn
ip filter 1024 reject * * udp,tcp 445 *
ip filter 1025 reject * * udp,tcp * 445
permitted Traffic
I am at this time only use rules 3000 and 3001. 3000 allows ping and traceroute. While 3001 allows any in bound traffic that is created as part of an inital outbound packet.
ip filter 1030 pass * * ah,esp
ip filter 1031 pass * * udp 500 *
ip filter 1032 pass * * udp * 500
ip filter 3000 pass 192.168.0.0/16 icmp * *
ip filter 3001 pass * * established
Global rules
ip filter 4000 reject * * * *
ip filter 5000 pass * * * *
Dynamic Filters
Dynamic rules
These filter are applied to the pp in the out direction and allow packets to also come back into the network when initialised from within the routers network.
ip filter dynamic 100 * * ftp
ip filter dynamic 101 * * www
ip filter dynamic 102 * * domain
ip filter dynamic 103 * * smtp
ip filter dynamic 104 * * pop3
ip filter dynamic 105 * * tcp
ip filter dynamic 106 * * udp
Apply in bound filters for pp
pp select 1
# Apply inbound filters for pp
ip pp secure filter in 1000 1001 1002 1013 1014 1020 1021 1022 1023 1024 1025 3000 3001
# Apply out bound filters for pp
ip pp secure filter out 1010 1011 1012 1020 1021 1022 1023 1024 1025 5000 dynamic 100 101 102 103 104 105 106
Port forwarding to internal
nat descriptor masquerade static 1000 1 192.168.xx.xx tcp 32400
nat descriptor masquerade static 1000 2 192.168.xx.xx tcp 80,443
References
At Network - Dynamic Filters
RTPro - Network Security Filter
SideTech - IP Filter