without touching zone firewall (i have tried it and it takes 5mins for ERX to boot up):
/ip firewall filter
add action=drop chain=input comment="drop invalid" connection-state=invalid
add chain=input comment="allow established" connection-state=\
established,related
add chain=input comment="allow lan" in-interface=bridge-gms src-address=\
10.5.25.0/24
add action=drop chain=input comment="drop else -- CARE!"
add action=drop chain=forward comment="drop weird packets" connection-state=\
invalid
add chain=forward comment="allow est,rel" connection-state=\
established,related
add chain=forward comment="allow vpn/lan" in-interface=all-ppp \
out-interface=bridge-gms src-address=172.16.25.0/24
add chain=forward comment="allow internet" out-interface=ether1-gateway
add action=drop chain=forward comment="drop forwarding from WAN" \
connection-nat-state=!dstnat connection-state=new disabled=yes \
in-interface=ether1-gateway
add action=drop chain=forward comment="drop everything else" \
connection-nat-state=!dstnatthats an example of one of my rules. pretty straight forward. but in edge, where do i specify the in-interface and out-interface?