I note that you’ve done a great job tying down several different daemons, and from what you’ve said I think it unlikely that you’ll expose yourself to trouble through those services you have already secured. This still leaves you in a “everything is permitted except that which I have forbidden” state, and you can’t get out of that state by hunting down daemon after daemon and securing them one by one.
A firewall configured to DENY ANY ANY by default moves you to a “everything is forbidden except that which is permitted” mode of operation, and I have found over many years that they’re better.
Right now, given a legitimate user with a legitimate shell on your system, she could decide to run some local unprivileged daemon for proxying web requests for the internet, or start file sharing on port 4662, or accidentally open up a listener by using -g with ssh port tunneling, not understanding what it does; or a sendmail install could leave you running an MUA on port 587 which was improperly configured despite all the work you’d done on securing the MTA sendail on port 25; or a hundred and one things could happen that bypass your careful and thoughtful security simply because they weren’t around when you were thinking carefully about what to forbid.
Do you see my point? At the moment, you’ve put a lot of effort into securing all the things you know about, and it sounds like they won’t bite you. What may bite you is the things you don’t know about, or that aren’t even there, right now.
A firewall which defaults to DENY ANY ANY is the sysadmin way of saying that if something new comes along and opens up a network listener on this server, noone will be able to talk to it until I have given explicit permission.