Solving one problem leads to another. Doesn't it always...
It turns out that my Verizon FiOS router has a rudimentary firewall functionality that can block the entire traffic but cannot selectively block the incoming traffic.
Short of replacing the router - it's an idea that was seriously considered before but had to be ditched due to a host of other issues -, what will be the quickest way to set up a firewall that can selectively block incoming traffic towards a specific IP?
I'm willing to pay for extra hardware.
You don't really need to. Unless you open a port or otherwise pass traffic through to some inside host, then unsolicited incoming traffic will be blocked by default. Not sure what capability theirs has to block outgoing access from specific devices. Haven't looked at that for a long time and don't recall now.
I also have FIOS. I put another router in front of theirs which sits on another subnet. The FIOS router only has outgoing access which works for most everything other than what needs incoming access like remote DVR programming, using the app, etc. Basically, it just serves as a MoCA bridge to the set-top boxes and to pull the TV schedule, etc. If you don't have TV services you don't even need to do that. You can just replace the router entirely. If you have their new IP-based service and STBs then that's a little different. Haven't tried that yet.
How are you doing VPN? I didn't think that any of theirs had that. Maybe some newer one does.