Сергей

add action=drop chain=input comment="drop" dst-address-list=block
add action=drop chain=forward comment="drop" dst-address-list=block \\ Рекомендация Виктор Бельский

add action=jump chain=input jump-target=alarm port=5060,5073 protocol=tcp
add action=add-src-to-address-list address-list-timeout=1m chain=alarm connection-state=new protocol=tcp src-address-list=block-stage-1
add action=add-src-to-address-list address-list=block-stage-2 address-list-timeout=1m chain=alarm connection-state=new protocol=tcp src-address-list=block-stage-1
add action=add-src-to-address-list address-list=block address-list-timeout=1d chain=alarm connection-state=new protocol=tcp src-address-list=block-stage-2

add action=jump chain=input jump-target=alarm port=5060,5073 protocol=udp
add action=add-src-to-address-list address-list-timeout=1m chain=alarm connection-state=new protocol=udp src-address-list=block-stage-1
add action=add-src-to-address-list address-list=block-stage-2 address-list-timeout=1m chain=alarm connection-state=new protocol=udp src-address-list=block-stage-1
add action=add-src-to-address-list address-list=block address-list-timeout=1d chain=alarm connection-state=new protocol=udp src-address-list=block-stage-2

^.+(vortex.data.microsoft.com|vortex-win.data.microsoft.com|
telecommand.telemetry.microsoft.com|telecommand.telemetry.microsoft.com.nsatc.net|oca.telemetry.microsoft.com|
oca.telemetry.microsoft.com.nsatc.net|sqm.telemetry.microsoft.com|sqm.telemetry.microsoft.com.nsatc.net|
watson.telemetry.microsoft.com|watson.telemetry.microsoft.com.nsatc.net|redir.metaservices.microsoft.com|
choice.microsoft.com|choice.microsoft.com.nsatc.net|df.telemetry.microsoft.com|
reports.wes.df.telemetry.microsoft.com|wes.df.telemetry.microsoft.com|services.wes.df.telemetry.microsoft.com|
sqm.df.telemetry.microsoft.com|telemetry.microsoft.com|watson.ppe.telemetry.microsoft.com|telemetry.appex.bing.net|
telemetry.urs.microsoft.com|telemetry.appex.bing.net|settings-sandbox.data.microsoft.com|
vortex-sandbox.data.microsoft.com|survey.watson.microsoft.com|watson.live.com|watson.microsoft.com|
statsfe2.ws.microsoft.com|corpext.msitadfs.glbdns2.microsoft.com|compatexchange.cloudapp.net|cs1.wpc.v0cdn.net|
a-0001.a-msedge.net|statsfe2.update.microsoft.com.akadns.net|diagnostics.support.microsoft.com|
corp.sts.microsoft.com|statsfe1.ws.microsoft.com|pre.footprintpredict.com|i1.services.social.microsoft.com|
i1.services.social.microsoft.com.nsatc.net|feedback.windows.com|feedback.microsoft-hohm.com|
feedback.search.microsoft.com|rad.msn.com|preview.msn.com|ad.doubleclick.net|ads.msn.com|
ads1.msads.net|ads1.msn.com|a.ads1.msn.com|a.ads2.msn.com|adnexus.net|adnxs.com|
az361816.vo.msecnd.net|az512334.vo.msecnd.net).*$