As with everything else related to firewall rules, best practices are going to be handled differently for the home/SOHO user than they would for admins on a corporate network. The home/SOHO user can get started by compiling a list of services that require outbound access (for example, DNS, SNMP, and HTTP/HTTPS). The network admin likely will want to consult the company's security policy. They may also want to consult with whoever is in charge of network security, and possibly other stakeholders.
You should also use egress filtering to prevent IP spoofing; this potentially stops a lot of malware. Basically, you want to do the following:
- All packets that have private IP addresses as their destination should be dropped.
- All packets that do not have valid private addresses as their source should be dropped. For example, if you only have one internal interface with a subnet of 192.168.1.0/24 and there is a packet with a source address of 192.168.2.1, this packet should be dropped.