How would you block all traffic from a specific IP using a firewall rule that uses an address list named "blocked"?

Blocking traffic from a specific IP with an address list is done by a firewall rule that matches the traffic as it arrives at the router and then drops it. The rule should use the inbound path, so chain=input, and reference the address list with src-address-list=blocked, while setting the action to drop. This blocks any packet coming from any IP in the blocked list as it reaches the device, and it keeps management simple because you can add or remove IPs from the list without changing the rule itself. Using the forward chain would target traffic passing through the router, not traffic destined for or arriving at the router, which isn’t what you want here. Referencing a single IP with src-address would only block that one address, not every IP in the list. And using accept would permit traffic instead of blocking it.