Someone I asked suggested I try Monowall, and then set that as my Gateway. Then I set my ESXi hosts and VMs to use that firewall as the Gateway. Then to get Internet access, I'd only need to allow 80 and 443 in via the Firewall.
Does that sound right?
If there's a better way, let me know.
Thanks!