You didn't say if the rules you've mentioned are on WAN_in or WAN_out or WAN_local?
Typical setup in our business is WAN_in default DROP and allow only established and related. Punch holes for specific services hosted on internal side.
WAN_local default DROP, allow established and related. Punch hole for IPSec VPN related ports for router management. Also allow PING ...we like our devices pingable, makes it easy for quick checks and troubleshooting.
WAN_out typically default ACCEPT. Reject invalid.
