What you do with the CPE "firewall" settings depends on what sort of ISP you are. Do you cater to geeks or aunts/grand mothers? Whatever you do, I would suggest that you document in a place that is easy for customers to find exactlyt what apps/protocols are open/closed with the settings you've decided on (especially if it deviates from any documentation available on the net for that device) You could consider configuring it by default to protect the aunts and grand mothers, but make sure geeks get the info on how to easily open ports for their apps. Also depends on what you block at the network level. If you block all incoming calls to port 25, then blocking it at the CPE router won't add much resilience against attacks as it is already blocked.