AREDN Node Behind a Firewall

I have had good results placing my nodes behind independent firewalls on independent public IP addresses, but I'm not particularly happy with the fact I simply forward all incoming TCP and UDP ports from the Internet to the nodes.  It's a bit like handing out the keys to the kingdom for hackers.  The only defense is the iptables settings in the node, but I like to have redundancy whenever possible.

When I look at the RJ45 LEDs for the VLAN switch ports that feed the nodes, they are constantly very busy, which may or may not represent random hacking attempts.  I haven't bothered to put a sniffer on the subnets so I have no idea what all that traffic represents.

My question:  Which TCP/UDP inbound ports (if any) are essential for operation of an AREDN node?  I would always allow anything outbound from the node, but I'd like to only forward required inbound ports to the node sitting behind the pfSense firewall.  If no inbound ports are required, I could simply block everything inbound.  One port I can think of that might be required is for a MeshChat server connected to the node, in our case here in BC - port 8080. 

Suggestions are always welcomed, with my thanks.  73!
Chuck.   VA7UL