The firewall rules are processed from the top of the list to the bottom. When a match is made then that action is taken and the processing stops. This firewall is stateful, meaning for you that you only have to enter rules based on the originating connection: where it started and where it aims to get to. You don't have to have rules for the replies from the destination back to the originator (source).
The further down the firewall policy a rule is, the more processing load is required to get a match. So put the most used rules at the top and end with a deny all at the bottom (but remember that if you hit the deny all without having rules for you to access the NAS, you will be locked out). This approach works well but you may have to prioritise some blocking rules near the top (e.g. country blocks) if you want to use an allow all to service X later on.
Regarding country blocking, this can be evaded by people using VPN services to breakout in a permitted country. But it should at least block some traffic.
The objective of the firewall is to allow only the minimum necessary access that you are willing to accept. I would not use the auto-rule feature as you won't learn what you are doing. If you do use this feature then go and review the new rules and adapt them to limit access and place them in the list where is more appropriate. Likewise, don't use the UPnP router config feature (disable it in your router). These auto features blow holes in security policies to allow access to services: you may as well have had a wide open security policy since when not running the services there is nothing to be exposed or attacked, but when you do run a new service and auto rules are added it's just the same as not adding rules but have a open policy.