Since no one is perfect and anyone can make mistakes no matter how experienced,
I don't think other ISPs give you "a copy of own house keys" if you allow the ANALogy 
Take us less seriously, you're between friends and as–les...
Seriously now:
The concept must be, starting from the default one, BLOCK EVERYTHING and allow only what is necessary...
NEVER block ICMP for no reason (except big Large fragmented ICMP that for sure do not are Path MTU Discovery...)
Prvent generate IP spoofing from your side, and do not accept spoofed packets.
Take a look here
But is all useless if you do not provide public IPs on your LAN.
And there