Ithink that the firewall needs a upgrade to get most or all rules supported.
like nat rules prerouting rules and a possibility to drop/reject all FORWARD or OUTPUT connections in place of ACCEPT bud if you want you can choose ACCEPT.
I think this because more things need prerouting or nat like the VPN and webfilter proxy,
and you have a nicer look over the rules of the firewall.
and maybe get a possibility to create your own chains.
more people have thoughts about this?