If you are configuring a home network or SOHO network, determining your egress filtering requirements begins with compiling a list of services to which you need access (this might include such services as DNS, SMTP, POP and/or IMAP, NTP, and HTTP/HTTPS). If you are configuring a corporate network, you probably want to begin by consulting your organization's security policy. You may also want to consult with those in charge of network security and perhaps other stakeholders within the organization.
You should make a list of remote servers that services running on your network have to access, and allow them through the filter. For example, if you are running a DNS server, it will undoubtedly have to communicate with other DNS servers. You may find it helpful to organize your interfaces into interface groups, with access being granted based on the interface group settings.
As mentioned previously, egress filtering should begin with a deny all outbound policy. From here, add access for the services identified when you first compiled a list of services. Then add rules that allow the admins access to network/security systems they need to get to in order to do their jobs. Finally, you should add rules to allow any servers you operate on your local network to communicate with externally hosted services.
You should also use your egress filtering policy to prevent IP spoofing. This means only allowing source addresses from the IP addresses you assign to nodes on your local networks to pass through the firewall. This will include addresses assigned via DHCP or statically, and subnets routed to the internet through the firewall, including VPN clients (if VPN is enabled). If you are only using a portion of the subnet to assign addresses (for example, you have 172.16.0.0 as one of your networks, and you are only using 172.16.1.0), then allow only the addresses you are actually using and not the rest of the subnet.
You should block all connections from internal servers or workgroups that have no business establishing connections with external servers. Also, you should consult lists such as those maintained by The Spamhaus Project to determine which domains and IPs are used by spammers and botnets and therefore should be blocked. Spamhaus's Don't Route or Peer (DROP) List is particularly helpful, as it identifies IP blocks that have been hijacked or are otherwise totally controlled by spammers, and therefore should be blocked.