How can I configure Exim on a firewall machine so that if mail arrives addressed to a domain whose MX points to the firewall, it is forwarded to the internal mail server, without having to have a list of all the domains involved?

As your first router, have the standard dnslookup router from the default configuration, with the added option

self = pass

This will handle all domains whose lowest numbered MX records do not point to your host. Because of the no_more setting, if it encounters an unknown domain, routing will fail. However, if it hits a domain whose lowest numbered MX points to your host, the self option comes into play, and overrides no_more. The pass setting causes it to pass the address on to the next router. (The default causes it to generate an error.) The only non-local domains that reach the second router are those with MX records pointing to the local host. Set it up to send them to the internal mail server like this:

internal:
  driver = manualroute
  domains = ! +local_domains
  transport = remote_smtp
  route_list = * internal.server