Draytek firewalls have a firewall rule that is "Block If No Further Match". Follow that with allow rules to achieve the level of filtering your want.
You can specify that the rule is for traffic originating on the WAN destined for the LAN.
That leaves outgoing traffic unaffected,
So leave the General Setup default rule as Pass and go to; Firewall > Filter Setup
Go to Default Data Filter, which is Filter Set 2, Rule 1
Under "Direction" choose WAN -> LAN/RT/VPN
Source IP Any
Destination IP Any
Service Type Any
Application/Action Block immediately if no further match
Now enable Filter Set 2, Rule 2 and explicitly allow any services you wish to run.
Does that help?
Edited by caffn8me (Tue 18-Mar-14 23:43:52)