You can add IP chains or a firewall script just make sure you call the script from a file that is not overwritten by one of the templates. A script for the IPChains seem to work better since you can make generic rules and then have it automatically adjust to whichever nic is on the public side. (ie you can swap eth0 and eth1 from the configuration screen). If you use static rules you may run into issues with the ethernet cards or dynamic ip addresses.
Justin