In some work I've done, limitations would follow as such...
a) Advertising non-desire for traffic (exit policy) is the same as packet filtering with the same rules locally. b) You can filter whatever you want at any inspection level you want, for whatever reason, or random/no reason, ***so long as you are doing it in a user agnostic global policy fashion.*** ie: - you may block torproject IP address or any other place for everyone because you think spacemen live there. You may not block it for just user X unless provided for under other policy. - you may scrape email content and block all viruses and even all talk of puppy dogs, so long as it is as a global policy and not just for user X. - you may sink all bittorrent for bandwidth. - you may sink content/protocol you think is too hot/unproven legally, or just whatever you want as global policy. - you may place bandwidth caps, block protocols, throttle, reset, cache, analyze, report, aggregate, rank, etc as matter of global policy and operations.
It was not what you block or permit or where or why or how, but when you delve into the affairs of a particular user with singular intent. That is the hot area. Most particularly concerning the written content of their traffic, consumer profile, etc. Best example of this is locking an account because you took a ticket that it was 'abusing' something somewhere somehow in a protocol/traffic fashion, leeching, spam, etc... but you have no global policy for it, and you still sunk them. That would get you in trouble customer contract wise. That's why TOU's are so broad. But touching any ticket involving humanity ... hatemail, threats, bickering, chatroom, trolling, assholeness, crime, etc would be *strictly and always* returned with 'contact your authorities' and zero inspection or blocking in such regard.
It's an anecdote, and certainly common best practice in many areas. Consult your area experts as needed.