If you configure your firewall to block all outbound ports except only those needed, you may run into a problem with using apt-get update or upgrade. When you go to update it will return with "Failed to fetch" and "Temporary failure resolving 'ftp.us.debian.org'".
In order to allow these functions to work you can either allow port 53 and 80 out or specify the url for more granular control:
-A OUTPUT -p tcp --dport 80 -j ACCEPT<br />
-A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPTThis is how you can do it with specific DNS names instead
-A OUTPUT -p tcp -d ftp.us.debian.org -j ACCEPT<br />
-A OUTPUT -p tcp -d volatile.debian.org -j ACCEPT<br />
-A OUTPUT -p tcp -d security.debian.org -j ACCEPT<br />
-A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT<br />While this does not protect you from DNS poisoning, it does greatly limit the outbound traffic that and attacker can use if your box was compromised.