I am a little concerned/confused by results from a simple port scan on my internet facing ROS box.

I have firewall rules "dropping" pretty much everything but I can still see the following when doing a portscan (nmap -sS xx.xx.xx.xx) and there is nothing showing up on my IMPLICIT_DENY firewall rule to show that this is being "seen" by the firewall.

I want to make this box invisible to the outside world with exception of a few whitelisted IP address which will be in the IP>FIREWALL section.

Any ideas?

Starting Nmap 6.40 ( http://nmap.org ) at 2017-11-22 11:07 GMT
Nmap scan report for xxxxxx.com (xx.xx.xx.xx)
Host is up (0.013s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
179/tcp open bgp
2000/tcp open cisco-sccp

Nmap done: 1 IP address (1 host up) scanned in 4.09 seconds

can you post those deny rules too?

on what chain did you configured the IMPLICIT_DENY firewall rule ?

The IMPLICIT_DENY is on the FORWARD chain.

I am thinking (after reading the documentation a few times), that I need add these DENY rules to the INPUT chain as this is targeting and IP *on* the router itself. Is this correct?

Yes.
A deny on the FORWARD rule inbound on a NAT router serves little purpose.
Of course you can put it there but it will remain at 0 hits.

Permit. Just moved all of my intended rules to the INPUT chain and everything works fine... (a) doesn't show in a port scan and (b) didn't kill BGP and lock myself out of the router!!

Many thanks, Neil