I think this is likely to cause you grief.
Some customers will be wanting to run services that support inbound connections. This will be hard to config around, while still providing any protection of any value.
Your customers will also have many different security profiles. Trying to meet the needs of all of these with one device wont work.