I am not sure what would be exact firewall rules to have incoming-filter per profile.
i've made new chain, named ppp.out, in it i am allowing only two IP's (just for testing).
ppp rules are dynamicaly made upon connect and they have two jumps to ppp.out, but nothing is passing through them, and entire internet is accessible:
two ppp chains are dynamic, couldn't list those. they are jump jump-target=ppp.out

but, nothing is passing through those filters

Please help, i am writing this after googling, but i can't find an example anywhere

you have any rule that will jump to that chain? (action=jump chain=ppp.out)

if you check in firewall manual you can see what chains are available at the beginning, and after that - when you create chains, you have to direct traffic into your chain from default chains

Yes, two dynamic rules are made upon connect, with jump to ppp.out, but nothing goes through those rules...

Mainly you need to manually jump to 'ppp' chain from the 'forward' chain, it is not automatic. Typically you should jump to this chain after checking bogons and established / related rules.

add chain=forward action=jump jump-target=ppp comment="PPP chains - in and \
out" disabled=no

Sam

Thank you, that worked