The firewall module protects the system from Internet exposure. Every network packet iterates from top-to-bottom over a list of firewall rules until a match is found, if no match is found the packet gets dropped. The outcome of a packet will depend on the matched firewall rule: accept, reject or drop. Rejected packet senders are notified using ICMP destination-unreachable notifications. Senders of dropped packets will never be notified and time-out (or wait indefinitely) and accepted traffic may pass the firewall.
The firewall rules can be applied to any interface. However in practice it's convention to use firewall rules mainly for WAN ports (upstream or management networks) since the HSMX will manage the subscriber network interfaces using it's built-in default policies or configurable per Location, Billing-plan or individual subscriber using Network Policies.
Every firewall rule has a descriptive name; is applied to one or all interface(s) and has a traffic direction set. The direction of a packet can be Incoming or Outgoing from the point of view of the HSMX gateway. The firewall provides stateful features so it's possible to filter out traffic depending on TCP state. The final three parameters are (destination) port, source and destination IP (or network).
nmap -sU -sS <ip address>: Execute a port scan for most active/known services using NMap