Unraid currently requires an additional firewall to be safe, it is not audited for direct exposure. This may change in the future, but as of this writing you must have it protected externally.
Many of us run firewalls as VM's, but that requires multiple ethernet connections, the physical port connected to WAN is not accessible to Unraid, it is directly passed to the VM and excluded from Unraid, and the LAN port on the VM firewall is connected via a switch to Unraid's ethernet. This only works with a fully licensed server because internet access is required to start the array and VM's during the trial period, and if something goes wrong you must have a way to connect to the server OOB, like a separately firewalled IPMI port on the server.
If the server is down, I have a separate hardware firewall waiting to be fired up to take the place of the VM while troubleshooting occurs.
None of this is going to work well in a remote colo setting.