In the spirit of the thread: a tip for debugging rules allowing (for example) SSH access from wan:
nft add rule inet fw4 mangle_prerouting tcp dport 22 meta nftrace set 1
nft monitor
Any packet matching the rule in the first line (tcp dport 22 in the mangle_prerouting chain) will then be traced through the remaining nftables chains, which is handy for debugging rules and understanding packet flows.