One more thing to consider...
What is far more important than a "paranoid" rule set is understanding what applications you want to allow and how they use the net.
The most careful admins will only permit network use by applications desired, and map rules to expected behavior. Any pass rule should be carefully written. If you are truly concerned about the welfare of your own networks, even if you don't care about your impact on other networks, this should be your goal.
For example, an outbound "pass all" does not protect against anything using the workstation as a vector... from virii that might spew spam, to a bad actor with command and control.
Obviously, those are more likely on windows platforms... but the risk is not zero. Admin mistakes can permit attacks, and have.
|