When a computer is connected directly to the Internet, and it has a white ip, then external connections can be connected to such a computer. More precisely, they can "knock". In order to actually connect, some kind of door (port) must be open. I would even say that such a door should exist, even if it is closed, but if there is no door, then nothing will work.
Each such "door" is a running program or service. The port number is the door number. Thus, the burglar can feel which doors are, which of them are open, he can go into open ones, and he can try to break into closed ones or pick up a master key.
Either way, whatever service or program it is, it usually uses a password or some other authentication mechanism to access it from the network. In principle, if an attacker does not know the password and cannot pick it up, he should not get through. But in any software there are holes. Some holes are already known, and some are not yet, but tomorrow or the day after tomorrow they may be discovered.
It is against such "holes" that the protection of the router type is directed. There are usually a lot of background services running in Windows, and many of them willingly listen to external requests. Some can be disabled, but unfortunately, some are needed stupidly for the normal operation of Windows. And in order not to delve into too much and cut off all this economy at once, a router is installed that takes on external requests, and also creates a local (home) network where all devices more or less trust each other.
In turn, the router also contains software, and may also have holes. And to be doubly safe, you can put another router on the side of the provider. Your ip will become "gray", as if inside the provider's local network, and anyhow no one will be able to knock on it.
As you can see, each such layer of protection does not remove any specific threat, but protects against potential unknown threats, that is, it is put just in case for reinsurance. Each next layer reduces the chance of being successfully attacked. However, the main defense is the head on the shoulders. If the user himself (foolishly) downloads the virus and activates it on his computer, then no gray ip, routers and firewalls will save him from hacking. So it goes.

The same as in the normal setting of the router. Which by default has all incoming closed ...
In fact, you don’t have to worry too much about it. because the provider will do it for you
. It makes sense only if you do not understand and want the Internet to "just work"