Access Control WAN Interface MGMT services

How exactly do you access control the management services such as TCP 80/443/22 on the Route10 Product WAN interfaces?

I would like to reduce the attack surface of listening ports on the appliance:

~ # netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      8138/uhttpd
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      5612/dnsmasq
tcp        0      0 192.168.1.1:53          0.0.0.0:*               LISTEN      5612/dnsmasq
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      5923/dropbear
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      8138/uhttpd
tcp        0      0 :::80                   :::*                    LISTEN      8138/uhttpd
tcp        0      0 fe80::beb9:23ff:fe81:8d01:53 :::*                    LISTEN      5612/dnsmasq
tcp        0      0 fe80::beb9:23ff:fe81:8d00:53 :::*                    LISTEN      5612/dnsmasq
tcp        0      0 ::1:53                  :::*                    LISTEN      5612/dnsmasq
tcp        0      0 :::22                   :::*                    LISTEN      5923/dropbear
tcp        0      0 :::443                  :::*                    LISTEN      8138/uhttpd
udp        0      0 0.0.0.0:1701            0.0.0.0:*                           6543/xl2tpd
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           7053/rc
udp        0      0 127.0.0.1:5053          0.0.0.0:*                           32140/https-dns-pro
udp        0      0 127.0.0.1:5054          0.0.0.0:*                           32139/https-dns-pro
udp        0      0 127.0.0.1:5055          0.0.0.0:*                           32141/https-dns-pro
udp        0      0 192.168.70.5:53         0.0.0.0:*                           5612/dnsmasq
udp        0      0 127.0.0.1:53            0.0.0.0:*                           5612/dnsmasq
udp        0      0 192.168.1.1:53          0.0.0.0:*                           5612/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           5612/dnsmasq
udp        0      0 :::547                  :::*                                5612/dnsmasq
udp        0      0 fe80::beb9:23ff:fe81:8d01:53 :::*                                5612/dnsmasq
udp        0      0 fe80::beb9:23ff:fe81:8d00:53 :::*                                5612/dnsmasq
udp        0      0 ::1:53                  :::*                                5612/dnsmasq

Create firewall rules via GUI to drop connection from any source (leave blank) to 192.168.1.1:80/443/22 respectively (or whatever gateway IP and ports), Protocols UDP+TCP, from WAN zone to Any zone?!

Something like this:

Haven’t tried this myself so be cautioned, so you don’t get locked out. I believe it should work as I think the Route10 initiates the connection via outbound communication to the controller. Maybe someone else may chime in on this to verify.