Explain bit Clear on your term -"term allow-all" "then accept"

give one example/ tell with one you said in Video....

This is meant to be on the input side of an external (internet facing) interface, correct?

Why add the term allow-all then accept? If the filter is applied on input to fe-0/0/0 which is your internet-facing port, then wouldn't you want the default to be implicit deny? Otherwise seems like it's wide open.

Also, does blocking rfc1918 inbound from the internet interfere with ipsec tunnels which might have rfc1918 address spaces on the other end? I had that problem with a Cisco ASA...

@xphobe This access list is meant only as an antispoofing access list. you are looking for specific combinations of tcp flags, you are also looking for addresses that are wrong. For instance you would want to allow all traffic through your routers, however you would not want traffic coming from the internet with a source of rfc-1918 private addresses as that would be a spoofing attack on your network, also there are certain typed of flags like syn-fin that should never be used on 1 together.