When your WANs are in NAT mode, all inbound traffic is blocked because of NAT unless you have specifically opened a port for a service (or its a system service like the web ui or the SpeedFusion Ports).
The default any/any inbound rule then passes any traffic from any remote source sent to open ports (those you have manually opened and the system service ports). If you want to restrict which remote devices can access the open ports you would change that any/any rule and supplement it with more granular firewall rules.