If you want to control the traffic out from a school gateway I guess it will not be an effective method to block one and one port, at it will be "normal procedure" for some unwanted applications to just switch over to some other open port. It is easy to end up closing ports and ports, while it will never be enough of closed ports.
The other approach is to set the default policy for outgoing traffic to all closed and then to open one and one port as required. This will be a some more effective approach.
I have made such an firewall implementation on my Sme 7.2 and I am using it and testing it now. (Zero problems until now, but I like to test it longer and more over time.)
By the way applying major changes on the fireall system is generally a dangerous thing to do, jut to have mentioned that.
If it was "a quite usual thing" to make major changes on the sme server firealling system there would certainly be a nuber of sme servers that were hacked due to missconfiguration, and there would also be a number of "incorrect asked or missleading questions" on the support forum that will be asked as if it was a server issue, but that in the real life is related to a missconfigured firewall. (That's how it use to be with firewalls.)
The disadvantage of allying a "full packet filtration" of outgoing traffic is that there will be som users that will ask: Why does not service x work on my PC ? The standard answer will be: "You will have to send a request to the administrator get your client program on the list of approved traffic."
Even though you do a filtration of outgoing traffic it might still be possible to perform a irregular use of the approved ports. As an excample: port 443 is the port of the ssl encrypted web traffic (https://..) It is quite easy to set up any encrypted tunnel trough port 443 and for most firewalls will be rather difficult to tell the difference between a datastram contained encrypted ssl datas ans other encrypted datas. Some programs that might be unwanted has automated procedures for finding and using an open port 80 and an open port 443 in the outgoing traffic direction.
On the other hand a policy of allowing only certains ports and protocolls might reduce unwanted traffic.
I think it would require a rather big project to make major changes to the SME server firewlling system, but on the other hand to have an option: "Apply rules for restricted outgoing traffic" and then to leave open just a few standard ports for outgoing traffic, that might not reqire a big modification.
One other advantage of doing outgoing firewalling is that you can reduce the damage potencial, in some way, if internal (Widows) clients get hacked or infected by virus or other malware.)
By the way I was banned and refused to log on to the contribs.org for a few days. Hopefully I will not be locked out again, even though mentioning a few words about security and firewalling.
By the way, I will try to send a suggestion to bugzilla about a "restricted traffic out" option, in the nearest future, if I'm not locked out again, as I believe such a modification (as an option) technically could be relatively easy implemented to the existing firewalling and template system, while on the other side having a major influence over the overall network security.