I want to block all inbound trafic on all ports but have port 80 tcp and port 3389 tcp and port 27000-27050 TCP/UDP open.

But when i make this:
add action=accept chain=forward comment="RDP" disabled=no dst-address=xxx.xxx.xxx.123 dst-port=3389 protocol=tcp src-address=yyy.yyy.yyy.0/28
add action=accept chain=forward comment="HTTP" disabled=no dst-address=xxx.xxx.xxx.123 dst-port=80 protocol=tcp src-address=yyy.yyy.yyy.0/28
add action=accept chain=forward comment="TF2" disabled=no dst-address=xxx.xxx.xxx.123 dst-port=27000-27050 protocol=tcp
add action=accept chain=forward comment="TF2" disabled=no dst-address=xxx.xxx.xxx.123 dst-port=27000-27050 protocol=udp
add action=drop chain=forward comment="BLOCK ALL" disabled=yes dst-address=xxx.xxx.xxx.123

It does not work, i can't even ping out from xxx.xxx.xxx.123 or get any trafic out (look at websites and so on).
Is there something that i don't get about the way the firewall in RouterOS is working?
But the RDP and HTTP works??? (and can connect to the RDP running on xxx.xxx.xxx.123 and look at the HTTP server running on it).
And when i disable the "BLOCK ALL" rule it all works, but the machine is expose'd to the net.

Use IP - services to turn off inbound services.

It's not to the box it self thies rules are for. but a server on a subnet...

Are you routing public addresses or nat?

I'm routing public addresses and this server is on a /30

Check out the Wiki. I think you will find your answer there.

A simple way would be to masquerade the network if you dont mind having a natted output. This will effectively hide your network behind the router but still allow all outgoing traffic.

Currently the last rule in your list will drop ALL traffic in the forward chain, in and out, so the result you are getting is expected.

Check out the Wiki. I think you will find your answer there.

Did not find anything usefull

A simple way would be to masquerade the network if you dont mind having a natted output. This will effectively hide your network behind the router but still allow all outgoing traffic.

Currently the last rule in your list will drop ALL traffic in the forward chain, in and out, so the result you are getting is expected.

Have had that ideer in my head, but i wanted it on it's own IP free of NAT...
But how do a block all indbound and only allow trafic in that i want open? and allow all outbound trafic?

Dmitri's firewall rules. Read the wiki.

Dmitri's firewall rules. Read the wiki.

Will do...

Before the final drop rule add this:
Regards

Andrew