When I create a GKE cluster, I see the nodes are assigned ephemeral public IPs. I understand that there is no cost if the IPs are assigned and used.

There is no additional cost for the IP address. When an address is in use by a VM (in this case a node in your GKE cluster) you are paying the cost of the VM.

Is there a cost however, if these IPs are hit from the outside, some kind of network costs?

As per GCP's network pricing documentation, ingress (internet -> your GKE node) is free and you only pay for egress. So if traffic comes to your IP address and you don't respond, then there is no cost. If you respond to the traffic, then you are charged the standard egress (your GKE node -> internet) rates.

When GKE creates these clusters, I'm guessing these IP's are disallowed public access by firewall rules by default?

The default firewall rules allow some traffic from the internet to reach your nodes (RDP, SSH, and ICMP from what I can tell looking at a new project). If any traffic hits these ports on your nodes, you will be charged for the corresponding egress traffic. You can remove those rules to block that traffic to ensure that you don't get charged egress, and if you have other types of traffic that you do want to allow to egress, then you will need to open up firewall rules to allow it out (or expose a service in your cluster so that the Kubernetes control plane pokes a hole on your behalf).