There are a few people saying that a synology NAS may not do everything you’d ever want, but there’s an underlying assumption there that you should run everything on a single device. There’s value in isolating functions to their dedicated device, especially when the alternative means a guaranteed compromise.
The advice I’ve read (and implemented myself) is to not so much run a block list, but an allow list. So first things first, have a rule to block all connections, then have overriding rules to allow connections using criteria you would deem safe. If you know someone needs to access the server from the UK, include the UK on the allow list. Everything else can remain locked down until you have a reason to open it up to another country.
Wtf?