The application firewall does not provide any protection unless you actually prevent (most) applications from receiving incoming connections. You should instead configure the packet filter with the pfctl command (or GUI applications like Murus). In your home network, you should rather focus on your router to secure the network against such threats, whereas you should consider a VPN when you are not in a trusted network. OS X does not have many system programs that are capable of receiving incoming connections in the first place and many of them are disabled by default anyway (in System Preferences → Sharing). When you are using programs that are capable of receiving incoming connections, check whether they are sandboxed (Mac App Store applications are all sandboxed) or whether you can sandbox them