Scenario with cablemodem or dsl and a firewall appliance
The firewall appliance usually does a good job of firewalling while allowing you to access the internet (NAT) from any of your inside boxes (computers).
Make sure you have a good password on your firewall appliance.
It is probably good to make sure that you can only configure the firewall appliance from your private net.
When port forwarding from your firewall appliance to an inside computer, be selective about which ports you forward back. Make sure any inside computers that receive such port forwards have proper security in place.
For example, when port forwarding SSH, then on the box receiving the forward, do not allow root to log in directly. Specifically list the allowed SSH user(s) in sshd using the AllowUsers parameter (sshd_config). Make sure any users allowed to receive SSH have a good password. By not allowing root to log in, then any hack attempts must pick a valid user account name to begin hacking the password.