There are several major classes of source addresses you should deny on your external interface in all cases. These are incoming packets claiming to be from the following:
Your IP address
Your LAN addresses
Class A, B, and C private IP addresses
Class D multicast IP addresses
Class E reserved IP addresses: Loopback interface addresses
Malformed broadcast addresses
Class A network 0 addresses
Link local network addresses: DHCP clients sometimes assign themselves a link local address when they cant get an address from a server. These addresses range from 169.254.0.0 to 169.254.255.255.
TEST-NET addresses: The address space from 192.0.2.0 to 192.0.2.255 is reserved for test networks.