I have some 3 questions, as to how Smallwall works:
 WHY is it that Smallwall has no explicit 'the internet' (='Any Public WAN IP') as Destination 'type' ? Is there a way to restrict traffic from LAN/OPT1 to 'the internet' only?
I will explain: Smallwall firewall Rules has several Destination 'types' to choose from: (Any, Single host, Network, LAN Subnet, OPT1 Subnet, WAN Address..) If we want to allow LAN/OPT1 devices to access 'the internet'(='Any Public WAN IP') we are forced to choose either 'Any' or !LAN(='Any Except LAN' inverted selection) We can NOT use 'WAN' as this is the *single* public IP we get from our ISP. (Our WAN interface is set to PPPoE, and retrieves a *single* public IP from ISP)
I ask this because choosing 'Any' or !LAN allows OPT1 for example access not only 'the internet', but also OPT2 interface as well.
Is it possible to express 'the internet' (='Any Public WAN IP') in Destination 'type' using a certain 'Network' expression? (eg, all except 10/8, 172.16/12, 192.168/16)
 How come devices on OPT1 respond to incoming traffic (=PortForwarded to them from WAN) despite EXPLICIT BLOCK rule on OPT1 to block any outgoing traffic from OPT1! Is it true that allowed PortForwarded traffic takes precedence over any BLOCK rules?
 Is it possible / How can I BLOCK devices on LAN interface from accessing Smallwall admin login webpage?
Well this is a loaded question... I think most of the answer is that I simply do not like abstracted labels. "The Internet" has little meaning, but "WAN IP" has exact and distinct meaning. Also, opt1 can be multinetted, or can change. But 192.168.44.1/24 is exact. The functionality to alias things is there so you can abstract if you want to, but personally, I like the real information.
That said... Some answers...
On opt1, Deny access to opt2, and then allow Any. Or even deny access to 10/8, 172.16/12, 192.168/16 after allowing access to opt2 ip address. Internal traffic will not see the firewall.
 Yes. Any firewall is first rule, so the incoming port forward establishes the connection. Once up, it never checks for another rule. This is why you need to be very careful with your WAN inbound rules!
 There is a checkbox for this. By default, there is an anti-lockout rule. It is there specifically to prevent you from making a mistake with rules and locking yourself out of the firewall! But if you are sure, you can disable it about half way down the Advance Setup under "webGUI anti-lockout."
Please correct me if I'm wrong, but for each device/interface which requires access to the 'internet'(='Any Public WAN IP') *ONLY*(with no access to LAN/OPT1/OPT2/WAN interfaces) we must define a set of 5 rules, such as this: rule #1 Block Access to LAN rule #2 Block access to OPT1 rule #3 Block Access to OPT2 rule #4 Block Access to WAN rule #5 Allow Access to ANY
1. Is this correct or do you see a shorter way to represent the 'internet'(='Any Public WAN IP') ? 2. Wouldn't it be much easier/simpler if Smallwall had a single built-in definition for 'internet' (='Any Public WAN IP') as 'destination':type ? (which already includes the above 5 rules already built-in)
Thanks again for your hard work & prompt reply. Appreciate it!