I have just found out that despite adding a rule through the GUI :-
Internface "External" Action Drop bound for "External"
and adding by IP tables from the CLI
vbash-4.1# iptables -A INPUT -j DROP -p tcp --destination-port 22 -i ppoe0
vbash-4.1# iptables -A INPUT -j DROP -p tcp --destination-port 80 -i ppoe0
vbash-4.1# iptables -A INPUT -j DROP -p tcp --destination-port 443 -i ppoe0
A port scan from an internet based server still shows these ports are listening on the internet.
I have even tried changing the SSHD listening address to an internal address, and still the external port is listening.
This is a MAJOR security conern, I only noticed this when I spotted someone from Vietnam was trying to SSH in to my router.
The management of the firewall on this device is appauling and seems to negate it being of any use.