@Antibiotic what example is there to show.. Out of the box the pfsense wan rules don't allow anything inbound to your pfsense wan IP from the internet.
What is "exposed" to the internet is what you add.. Here are my wan rules currently
wanrules.jpg
This is what I have exposed to the internet... Ie some rando IP address out on the internet can talk to these ports.. The ones that are in the US, or elsewhere via my pfblocker alias of what is allowed to talk to these ports. Mostly US based IPs
I have those block rules at the end that log, because I have turned off logging for the default deny.. And this logs what I am interested in seeing. Only tcp syn traffic to my wan, and some common udp ports that might be interesting to know if seeing traffic to those ports..
Here are my LAN rules.
lan.jpg
My clients could talk outbound on BGP... Oh no ;) hehehe
Out of the box the only rules are wan are the 2 blocking source IP of rfc1918 and bogon.. Nothing is "exposed"