Just one outstanding question then I probably should close this as Solved ...

As I understand it, our ISP https://bulloch.solutions/home/ doesn't support ip6v - should those references be commented-out or deleted or is there no harm in leaving them there?

See https://wiki.debian.org/nftables and run

for i in {ip{,6},arp,eb}tables ; do sudo update-alternatives --config $i ; done

All of the alternatives should be pointing to *tables-nft, change them if they don't.

Check for any extant iptables configuration with

# iptables-save

I'm pretty sure that should be blank.

"It is possible to mix iptables and nftables. However, this increases complexity and also the chance to introduce errors. So keep it simple and flush out all iptables rules, and make sure it is not loaded."

    iptables -F
Do the same for IPv6:
    ip6tables -F

"Ensure that during system reboots the iptables configuration or modules are no longer loaded." (I'm not sure how to do this.)

It is my understanding that ICMP echo requests should be allowed but I'm no expert.

Reference: http://shouldiblockicmp.com/

OK, I'll leave it be.

I believe that the ASUS router I'm using has some firewall controls - I could look at preventing a ping flood there first.

Reference: http://shouldiblockicmp.com/

Also, as I understand it, our ISP https://bulloch.solutions/home/ doesn't support ip6v - should those references be commented-out or deleted or is there no harm in leaving them there?

root@devuan1:/etc# nft list ruleset
table inet firewall {
	chain inbound_ipv4 {
	}

	chain inbound_ipv6 {
		icmpv6 type { nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
	}

	chain inbound {
		type filter hook input priority filter; policy drop;
		ct state vmap { invalid : drop, established : accept, related : accept }
		iifname "lo" accept
		meta protocol vmap { ip : jump inbound_ipv4, ip6 : jump inbound_ipv6 }
		tcp dport { 22, 80, 443 } accept
	}

	chain forward {
		type filter hook forward priority filter; policy drop;
	}
}
root@devuan1:/etc# 

EDIT: use this to check after the service starts:

# nft list ruleset

Aptitude isn't installed - is it worth adding?

I returned to Synaptic and selected Status then Uninstalled then gufw and ufw to completely remove.

It left those two folders in place and deleted all but applications.p from ufw and left gufw.cfg, Home.profile, Office.profile, and Public.profile behind in gufw (it only deleted app.profile).

I'll remove the rest manually.

I've uninstalled grav.

I used Synaptic to uninstall ufw and gufw - but whereis finds ufw still in /etc/ufw (multiple .rules, .init, .conf and one .init file in there)

/etc/gufw still contains app.profiles, gufw.cfg, Home.profile, Office.profile, and Public.profile.

I can just delete these directories/folders and files but do you know why Synaptic uninstall left these behind?

It's as simple as

# apt install nftables orphan-sysvinit-scripts {g,}ufw-
# cp /usr/share/orphan-sysvinit-scripts/nftables /etc/init.d
# update-rc.d nftables defaults
# editor /etc/nftables.conf # copy in example file from my link
# /etc/init.d/nftables start

Then check with

# nft list ruleset

It would be even simpler had Debian bothered to supply an init script for nftables but unfortunately the developer doesn't give a crap about alternative init systems. For shame!