Hi,
for the records: It is indeed.
[root@maverick ~]# location lookup 213.249.8.0
213.249.8.0:
Network : 213.249.0.0/19
Country : Greece
Autonomous System : AS12361 - VODAFONE-PANAFON HELLENIC TELECOMMUNICATIONS COMPANY SA
To the best of my knowledge, no such general issue is known.
Once in a blue moon, there were people on the forum complaining about their IPFire’s SSH port being erroneously exposed to the internet, but we unfortunately never managed to find the root cause for these incidents, and I was unable to reproduce it by any means. 
Trying to reproduce your problem, I noted that creating such a rule as (3) causes an unintended (?) side-effect: Despite being NAT’ed, port 222 becomes reachable from the country in question. This is explicitly configured by rule (4) in your example, but seems to be a quirk in the firewall engine for rule (3) as well.
I will raise a bug for this, which only appears to affect port forwardings to IPFire itself, so it is not a complete disaster. 
EDIT: Bug #12873 has been filed for this.
However, as @lowres already noted, a VPN would be the better approach.
Thanks, and best regards,
Peter Müller