As title.

I'm trying to setup up access to Mercurial repos that I share on port 8000. But only to external IPs that I allow.

Setting up the filter in the firewall to allow access to port 8000 to my internal IP (172.16.5.100) isn't enough to get it going, you have to use either Port Redirection or Open Ports to get it to work. Indeed you don't need any firewall filters to enable that at all, just the NAT.

Once that's working, if I setup a firewall filter that says to block any traffic from the WAN on port 8000 to any LAN ip address, unless it's one I explicitly allow (using objects, or just a single IP) appears to have no effect, the Port Redirection seems to completely bypass the firewall.

Does this sound like correct behaviour? If it is then it seems a bit poor to me as I can only enable or disable a service. I can't restrict WHO can use that service. Isn't that the point of having a firewall?