Scenario 1: Standard Machine
A good practice in firewall is to allow the needed ports/connections then drop all. In that order you can monitor the OPEN ports/connections.
/etc/sysconfig/firewall
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
# Loopback connections
-A INPUT -i lo -j ACCEPT
# Drop ALL INVALID Connections
-A INPUT -m state --state INVALID -j DROP
-A OUTPUT -m state --state INVALID -j DROP
-A FORWARD -m state --state INVALID -j DROP
# Allow all established and related connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# OUTPUT CHAIN HERE
# allow connections to my ISP's DNS servers
# Primary DNS 10.9.8.7, Secondary DNS 10.9.8.6
# DNS port is 53
-A OUTPUT -d 10.9.8.7 -m state --state NEW -p udp --dport 53 -o eth0 -j ACCEPT
-A OUTPUT -d 10.9.8.6 -m state --state NEW -p udp --dport 53 -o eth0 -j ACCEPT
# allow outgoing connections to web servers
# Destination is ANY
# http is port 80, https is port 443
-A OUTPUT -d 0/0 -m state --state NEW -p tcp --dport http -o eth0 -j ACCEPT
-A OUTPUT –d 0/0-m state --state NEW -p tcp --dport https -o eth0 -j ACCEPT
# allow outgoing mail connections to my ISP's SMTP and POP3 server only
# Mail Server is 10.10.10.40
-A OUTPUT -d 10.10.10.40 -m state --state NEW -p tcp --dport smtp -o eth0 -j ACCEPT
-A OUTPUT -d 10.10.10.40 -m state --state NEW -p tcp --dport pop3 -o eth0 -j ACCEPT
# log all other attempted out going connections
-A OUTPUT -o eth0 -j LOG
# default is to DROP out-going connections