The port and protocol commands inside the content rule act as filters.
So only traffic of protocol type ... and to port ... will match the content rule.
The port command inside the service, acts a a nat command. It tells the CSS to rewrite the destination to the one configured under the service.
The easiest solution is to not configure any port under the content rule and services.
Like this, the CSS will accept connection to ANY port and just LB without changing the destination port.
So port 80 traffic will be sent to port 80 and port 443 to port 443.
You can then limit traffic coming in with an ACL if you do not want to LB will ports (ie: 23).
But personally, I prefer to have a content rule for each port.
It gives you the possibility to easily adjust the config for a specific port if needed.
Gilles.