Yes, I find it highly odd that the clients would need to *connect* to a possible 16k ports!
The narrower you can make the hole, the more secure you are. So, if you can reduce the number of ports open and reduce the client IPs which can access the server, both improve the security of the policy.
You can look at your syslogs to see who is connecting to the server, and on what IPs/ports.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...