One way to go about the network security aspect:

Make a separate LAN(optionally: VLAN) for your internals of hosted services. Separate from the one you use to access internet and use with your main computer. At start this LAN will probably only have two machines:

• The server running Jellyfin. Not connected to your main network or internet.

• A “bastion host” which has at least two network interfaces: One connected outwards and one inwards. This is not a router and should be separate from your main router. This is the bridge. Here you can run (optional) VPN gateway, SSH server. And also an HTTP reverse proxy to expose Jellyfin to outside world. If you have things on the inside that need to reach out (like package updates) you can have an HTTP forward proxy for that.

When it’s just two machines you can connect them directly with LAN cable, when you have more you add a cheap network switch.

If you don’t have enough hardware to split machines up like this you can do similar things with VMs on one box but that’s a lot of extra complexity for beginners and you probably have enough of new things to familiarize yourself with as it is. Separating physically instead of virtually is a lot simpler to understand and also more secure.

I recommend firewalld for system firewall.