+## Ingress filter (see RFC 2827) (eth0:LAN<192.168.100.0/24>)
+-A ufw-before-forward -i eth0 -s ! 192.168.100.0/24 -j LOG --log-tcp-options --log-ip-options --log-prefix "[UFW BLOCK LOG_INGRESS]: " --log-level err -m limit --limit 3/min --limit-burst 10
+-A ufw-before-forward -i eth0 -s ! 192.168.100.0/24 -j DROP
+
+## DROP CIFS(Samba) access from/to WAN(eth1)
+-A ufw-before-input -i eth1 -p tcp -m multiport --dports 135,137:139,445 -j DROP
+-A ufw-before-input -i eth1 -p udp -m multiport --dports 135,137:139,445 -j DROP
+-A ufw-before-forward -i eth1 -p tcp -m multiport --dports 135,137:139,445 -j DROP
+-A ufw-before-forward -i eth1 -p udp -m multiport --dports 135,137:139,445 -j DROP
+-A ufw-before-forward -o eth1 -p tcp -m multiport --dports 135,137:139,445 -j DROP
+-A ufw-before-forward -o eth1 -p udp -m multiport --dports 135,137:139,445 -j DROP
+-A ufw-before-output -o eth1 -p tcp -m multiport --dports 135,137:139,445 -j DROP
+-A ufw-before-output -o eth1 -p udp -m multiport --dports 135,137:139,445 -j DROP
+
+## Access from LAN
+-A ufw-before-input -i eth0 -j ACCEPT
+-A ufw-before-forward -i eth0 -j ACCEPT
+