My question is as follows: are there any special considerations to be taken care of so that you do not end up sabotaging your system (i.e. you have to allow DNS requests) ("gotchas" perhaps)?
You must allow the loopback interface.
For everything else, make a list of services you want to access out of the box, where, and under what circumstances... allow those. You'll soon know if you missed one.
Also: is it possible to only allow certain binaries to send packets? I.e. you want your users to be able to IRC, but in order to do this they *have* to use /usr/bin/irc_client; running ~/irc_client would not have to work.
The best way to force users to use only a specific application is to deny them access to any others on the box. The best way to do that is to remove them all.
It's usually only a concern if you know an application has a specific exploit that you would like to avoid.
I understand you can use the --cmd-owner option to allow connections based on the launching process.
There is a highly entertaining and interesting discussion on outbound policies here: