I've considered this further, and it's not going to work the way you think. My suggestion doesn't _quite_ satisfy your goal - what it will do is open *both* 443 _and_ 8443 to the Internet. This is one of those can't-have-your-cake-and-eat-it-too problems...you're not SNATting (because that would be bad), so you have to use the WAN_LOCAL chain, but by doing so, you're opening both at once, effectively (the DNAT rule opens 8443, the WAN_LOCAL rule opens 443). There's no way to have one without the other that I can immediately think of without doing some incredibly hairy SNAT dancing.
I'll keep thinking about it, though I'll never say it's a good idea.
Another thought: If you can't necessarily "block" 443, you could (again, theoretically) "get ahead" of it - DNAT happens earlier in the process than WAN_LOCAL. If you DNAT 443 to a blackhole dest port on the LAN, that would more or less "block" it, allowing only 8443 to the real web server. Nasty solution to the 443-on-the-Interwebz problem, but would likely work.
Rodney
