I'm setting up my first OenWRT router to replace the one provided by my IPS.
I've set up the WAN port with some basic inbound rules to stop the common sense things, but I'd be interested to hear what everyone else considered essential.
What are your own personal go-to firewall rules that you set up to protect yourself from things trying to pass from Wan to Lan?
By default, nothing is allowed from wan to lan unless initiated first from lan to wan, Have you enabled specific inbound traffic?
The banip package is very popular for blocking known “bad” IPs from passing the firewall in either direction.
The essential things are already in place.
Do not tinker with it unless you really know what you are doing.
(Yes I know you could argue to use DROP instead of REJECT)
9 years as a net admin, but with a completely different ecosystem.
I know what I'm doing, but I don't know OpenWRT, hence why I'm here asking for advice from people who know the local landscape.
If you are a net admin then you probably should know how to configure a firewall for your specific use case, or not?
Changing Reject to Drop, disabling ping and altering some of the IPv6 forward parameters (e.g., I don't forward ping to devices) - that's all for me.
(BTW, nothing can otherwise pass from WAN - except the few, self-explanatory, default rules.)
Was a net admin, on a different ecosystem.
Things have changed, and I don't know OpenWRT. Every system has its nuances, and new threats come along all the time. There's no shame in asking people with more experience for thier opinions, that's how we educate ourselves.
cat /etc/config/firewall
Feel free to revew them (they're also self-documenting).
Something may have been lost in translation. I'm interested in what users personally do that's not in the documentation, or that they find to be better than the documentation.
Community knowledge.
And you also added:
By default, nothing can pass from WAN to LAN (except what's listed in the default rules).
So it's unclear what meaningful information the community can expound on, given it requires editing (or wiping - I'm not giving a recommendation) the default ruleset.
Yeah but the logic of zone based firewall are the same.
Also how opening or forwarding ports work.
Yes ipv4 is slightly different then IPv6 but only because there is no nat with IPv6
But allow traffic to be forwarded from one zone or interface to another stays the same.
Asking the question is the first step in finding the answer to this.
Dude. What is missing? Or what do you think is missing?
The default setting is fine. And complete.
Besides you have any some special needs but then you need to tell us what those are so we can comment on that.
Everything else is just throwing chicken bones.
<canned reply.>
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! 
So, you're using the vanilla settings?
Are you running a vanilla network?
Do you have a service you're referencing that requires open ports?
(I think that was the point of the chicken bone comment. Did anyone make chicken salad 
?)
Does anything seem odd about the default rules, or do you have questions?
Did any of the suggestions thus far seem relevant, or may be ones you might employ in your use case - wanna talk about it?
I agree that asking the question is valid. As a newbe I asked myself the same question.
For me, the effort doesn't stop at "block all connections from the outside with the firewall".
Malware can get in through the firewall on connections made from inside the LAN. Having banip as @dave14305 suggests may help. Having your own DNS server that blocks domain names associated with malware can help as well. Port knocking can help fend off attacks if you need to have some ports open to the WAN world, I'm not sure how to configure that yet. For even more protection, a proxy server that looks for suspicious data inside connections could help.
I have also disabled IPv6 (not just removed the firewall rules that allowed some traffic through), because I don't fully understand it yet and I don't need it.
I'm not sure what additional firewall rules could help. I remember years ago there were all kinds of rules to filter out smurf packets and other bad fragment stuff, but I don't see that anywhere anymore.
I really don't understand your hostility.
My original question wasn't controversial or contentions, and yet you come out swinging as if I asked something deliberately divisive.
I just wanted to know if anyone had any tips or tricks to improve upon the default firewall settings, which seem to be being kept deliberately sparse, in keeping with the bare bones approach of OpenWRT in general.
Would you share examples of rules you added? I think the confusion is there are no rules needed for inbound if you haven’t changed the default wan zone settings.
My only modifications are like @lleachii:
I specifically asked did you wish to dicuss so you wouldn't imply that (for the third time in the forum).
Agreed (context helps). Also, I woud not advise port knocking, but SSH via key, or a more silent protocol, Wireguard (the port is silent with the correct key/SRC IP.