Thanks @stangri for this cool package! I discovered how to make the nebula-proto work with firewall. The issue is that if you configure a zone for nebula proto interface you add the interface via list network 'nebula1' (or whatever your nebula tun device is called). I assume firewall either this device is unmanaged or down (it reports "up": false, "pending": true, "available": true via ubus call network.interface.nebula1 status) and no rules are applied. However you can bypass this by using list device 'nebula1' - this config is used with unmanaged devices and works.
I tried various approaches by modifying /lib/netifd/proto/nebula.sh like using proto_export INTERFACE="${interface}" or adding additional param for 'up' to proto_init_update: proto_init_update "${interface}" 1 1, but it does not fix the problem. Writing protocol handlers is basically undocumented so I'll ask around developer forum - perhaps someone will point the error out. I already inspected other packages that implement custom protocol handlers including net/external-protocol/files/external.sh which seems to be a template on which nebula-proto was based. I tried tinkering around a bit, but there does not seem to be any notable difference in those implementations 