Read up on the principle of "default deny" in firewalls. If the box is configured that way, you're in good shape.
The opportunities for hackers are slim. Good hackers won't waste time attacking Astaro, and will instead attack some other network component that it is not Astaro's job to defend -yet. They add new protection mechanisms for software all the time; if you look on the boards, SIP, used for conferencing, is something Astaro doesn't handle yet. So if you were doing SIP or IIS server or whatever, I'd look for that on your network and attack there (if I were a hacker, which I am not); I'm not going to waste time attacking network stack code that has been tested by the Linux community a zillion times. It is conceivable more exploits in the Linux network stack could be uncovered; but look at Astaro's track record on getting out patches for versions that were stable...
The security of Astaro is as good as the care taken with the password session used to administrate it. If you go to a coffee shop or an internal workstation which has poor defenses of its own and is used to run lots of questionable software, a hacker can get the webadmin password through a keystroke logger. So the best way to administrate Astaro is with a machine that is "off the wire" of your LAN when it is not being used to configure Astaro (maybe a stripped laptop allocated for such purposes...).
The other thing I would advise is to try keeping things simple (though other people using the firewall you manage may have other ideas about that...). The fancier you get, the more likely you'll slip up...
