Block outbound traffic too.
Open up just what you need.
Segment internally and restrict access. You don’t need more than SSH to a Linux Server, or perhaps to it’s web interface for an application running on it.