Allow disabling of "filter rule association" by default
This setting is inherently insecure, as it opens a hole in your firewall for the world to get into. Fine for public-facing servers or home users, but not so great when you need remote access from a limited number of IP addresses. Of course it can be disabled when the rule is created, but it's easy to overlook.
I would like to see the ability to set a system-wide default, similar to the "NAT reflection" setting above it, so that this can be globally disabled for those who want to maintain some semblance of security over their WAN port.