I think I might have found the answer.
I have an FTP server running in DMZ on port 21.
I have a NAT rule translating an inbound port of say 22321 to 21 on the Port Forward page.
I then initially must somehow have created a FW rule on WAN allowing traffic to port 21 of the FTP server - the rule I was asking about.
I then later create a rule allowing traffic to port 22321 on the FTP server - thinking the FW rule had to refer to the external port, not the internal- and removed the first rule, which broke FTP access.
I think the confusion comes from when I took my CCSP exam may years ago - belive , at one point, that Cisco FW, used the external port for inbound traffic - but later changed that to the internal port.
Rule restored, FTP working again.
All of that - becomes irrelevant when going through an Onion Service, which establishes connections from inside the FW - but unfortunately stuff like Mozilla Thunderbird 86 does not yet support TOR/Socks 5 proxy.