How to configure firewall to allow only SFTP, HTTPS, SSH and NTP? I need to block anything other than that even in LAN.
SSH and SFTP must be LAN only (ban external access)
It is crucial for me, please provide appropriate information.
Time to get into the OpenWrt firewall documentation 
https://openwrt.org/docs/guide-user/firewall/firewall_configuration#web_interface_instructions
But you won’t be able to ban it within LAN, I would say. Only LAN → WAN or WAN → LAN, not LAN → LAN
If I understand correctly in /etc/config/firewall should be this, right?:
config defaults
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option drop_invalid '1'
option synflood_protect '1'
option synflood_rate '25/s'
option synflood_burst '50'
option tcp_syncookies '1'
option tcp_ecn '1'
option tcp_window_scaling '1'
option custom_chains '1'
option disable_ipv6 '1'
option flow_offloading '1'
option tcp_reject_code '1'
option any_reject_code '1'
option auto_helper '1'
option auto_includes '1'
option accept_redirects '0'
option accept_source_route '0'
config zone
option name 'lan'
option network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
config zone
option name 'wan'
option network 'wan'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option src 'lan'
option dest_port '443'
option proto 'tcp'
option target 'ACCEPT'
config rule
option src 'lan'
option dest_port '22'
option proto 'tcp'
option target 'ACCEPT'
config rule
option src 'lan'
option dest_port '123'
option proto 'udp'
option target 'ACCEPT'
config rule
option src 'lan'
option dest_port '22'
option proto 'tcp'
option dest 'wan'
option target 'DROP'
config rule
option src 'lan'
option dest_port '22'
option proto 'tcp'
option dest 'wan'
option target 'DROP'