Follow the instructions here to establish a basic set of firewall rules: WAN_IN and WAN_LOCAL
configuresetfirewallnameWAN_INdefault-actiondropsetfirewallnameWAN_INdescription'WAN to internal'setfirewallnameWAN_INrule10actionacceptsetfirewallnameWAN_INrule10description'Allow established/related'setfirewallnameWAN_INrule10stateestablishedenablesetfirewallnameWAN_INrule10staterelatedenablesetfirewallnameWAN_INrule20actiondropsetfirewallnameWAN_INrule20description'Drop invalid state'setfirewallnameWAN_INrule20stateinvalidenablesetfirewallnameWAN_LOCALdefault-actiondropsetfirewallnameWAN_LOCALdescription'WAN to router'setfirewallnameWAN_LOCALrule10actionacceptsetfirewallnameWAN_LOCALrule10description'Allow established/related'setfirewallnameWAN_LOCALrule10stateestablishedenablesetfirewallnameWAN_LOCALrule10staterelatedenablesetfirewallnameWAN_LOCALrule20actiondropsetfirewallnameWAN_LOCALrule20description'Drop invalid state'setfirewallnameWAN_LOCALrule20stateinvalidenablesetinterfacesetherneteth3firewallinnameWAN_INsetinterfacesetherneteth3firewalllocalnameWAN_LOCALcommit ; save
Then, we open only SSH port on the firewall.
Use the GUI to add a new rule to the WAN_LOCAL chain. It already has:
Rule 1 - allow established and related
Rule 2 - drop invalid.
So add Rule 3 -
On the Basic pane: Enable, Action accept, Protocol tcp