The preferred way of locking down an octoprint server is to set up a VPN, and allow access to the VPN from the outside, which would grant access to your inside network.
If you were to set up a local firewall, it should be to restrict outside access to specific IP addresses (work, school, or any other static ip address). Having a dynamic IP Address (someone elses home, mobile, etc) would be a problem as you would need to get in and reload your rules for the new site. You might be able to get away with a dynamic dns service, but that would still be annoying to set up and may still need firewall rule reloads.
If you do not plan on doing this sort of restriction, there is no difference in letting your router handle the port redirection (which adds a basic hardware firewall) or enabling a software firewall. I would also strongly suggest NOT putting the pi in the DMZ of the router, otherwise you WILL need a software firewall up.