There's also cross-over devices like the Symantec (formerly Nexland) Security Gateway series and similar devices, which are NAT devices with*some* security functions. While they won't allow you a fine grained control over all packets, they do allow for defaulting to "deny all", as well as protecting against specific threats, and in some cases also VPN functionality.
You might want to reconsider remote ports 1433-1434 -- any port number higher than 1023 can (and thus sooner or later will) be used as valid ports for return traffic, and blocking them will cause timeouts and hopefully a retransmit, but sometimes a failure.
In the case of a NAT box that doesn't let anyone in, this is most likely to appear as an intermittent but hard-to-reproduce problem with FTP, where the client on the inside when sending PASV is told to use port XXXX for data traffic, and then can't connect to that port. An alternative solution then if you *really* want the high ports blocked is to set up port triggering for active FTP, allowing incoming traffic from port 20 if a connection has been made to port 21 on the same host. That's not 100% safe (IP spoofing and man-in-the-middle attacks are possible), but probably good enough for everyday use.