How about each service dropping a config snippet (as a separate file) into something like /etc/sysconfig/service-firewall-rules and having a setting on the firewall config GUI which allowed these to be included in [or not].
You could also provide an appropriately rich environment setup to allow all the standard requirements of basic firewall rules (ie interface name/addr etc).
It would obviously take work to get this infrastructure in place.
Nigel.