I had to remove bastille also from my setup because I needed some NAT - IP masquerading setup plus a fair number of ports to be forwarded. I know there are much easier firewall scripts out there such as ufw but I am actually doing a fair amount of port forwarding and using iscsi and other bits of blackmagic and having had no choice a long time ago I had gone through the pain and suffering to get arno-iptables-firewall setup and configured.
Kind of sucks cause I am always tempted to click on firewall from the backend and I seem to recall at one point I actually did and this broke a nice long list of things as it tried to setup both firewalls to run.
while I do wish arno-iptables-firewall could be configured through there I accept the fact that might be asking for a bit much.
Since you mention ufw being supported now, I am wondering if there is a way perhaps to turn off ispconfig3 from handing it at all? Im gonna hate myself if I end up with yet another way I can shoot myself in the head.