PC Flank scan - WAN/LAN setup - questions with FTP & HTTPS ports

I'm not sure what to title this thread, or if I am in the correct forum - but here goes.

NEEWBIE ALERT


I run Tomato on a WRT54GL and I am trying to do a number of things - maybe to many things.
1) on my LAN I have a FTP Linux box (opensuse) with the suse firewall turned off - listening on port XX
2) I have NX & VNC available on this Linux box as well - I wish to be able to connect from the WAN side
3) I have Tomato SSH running (router) - with external port 3000 and internal port XX

For NX/VNC - I think (correctly or incorrectly) that I am best to use Putty from the WAN side >connect to the router port (say port 3000, used in the putty setup) then in the setup my destination in the IP address of the Linux box (LB_IP) & the VNC port 5901 using a source port of some number (say 6000)
Then on the WAN side start a VNC connection to LB_IP:6000


In Tomato I have (temporarily) opened 8080 and I can remotely connect to the router as a test (I will close this port later) and I have the tunnel port (3000) that directs to internal SSH port XX.
But I did a scan with PCFlank and obviously it tells me that 8080 & 3000 are open - and when I open port 21 for FTP - this will be open from the outside as well.

S after all that ...

1) How exposed am I from a security point of view?
2) What changes should I make in the way I configure - Ideally I would like to be stealth from the outside.
3) Since I have SSH from port 3000 to internal XX should I use SSH for FTP as well? Or what is the norm for FTP security based upon different levels of paranoia.

Thanks for the time to read..