The default firewall state for IPv4 and IPv6 would be enabled. This can be disabled via the AAISP control pages. Rules can be added as required.
The firewall is configured via the router's Web interface:
Security -> Firewall -> Access Control
You don't need to create any special 'protocol' lists, you can simply enter in the Target IP/Port etc. in to the rule.
From the CLI the iptables command is available, which is familiar to Linux users. If logged in as supervisor the sh command is available to get a root shell prompt, where the ip6tables command can be found.
Having added a rule via the Web interface, it is worth checking with iptables or ip6tables that it has been successful - rules don't always get set correctly and/or may not survive a power cycle. For example, adding a firewall rule on the Web interface to allow IPv4 UDP traffic from anywhere to port 1194 on my Raspberry Pi (inbound openvpn traffic) with a name of OpenVPN, it added an iptables rule:
Chain OpenVPN (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194
but failed to add a rule in the ACL_FORWARD table to actually invoke that new chain. I had to add it manually:
Chain ACL_FORWARD (1 references) pkts bytes target prot opt in out source destination 0 0 VoIP4A udp -- * * 220.127.116.11/31 0.0.0.0/0 udp 3010 1045K VoIP4B udp -- * * 18.104.22.168/29 0.0.0.0/0 udp 0 0 VoIP4C udp -- * * 22.214.171.124/24 0.0.0.0/0 udp 0 0 VoIP4D udp -- * * 126.96.36.199/24 0.0.0.0/0 udp 0 0 OpenVPN udp -- * * 0.0.0.0/0 81.187.xx.xx udp
The 4 VoIP rules have always needed to be added manually after a power cycle, I guess the OpenVPN rule will have to be too.
IPv6 rules seem to be added properly and survive power cycles.