All I did was use the sample rules from the CHX web site to start with. Just 2 rules covered everything. I believe the sample rules covered both TCP and UDP in one rule. Also turned on SPI for TCP/UDP/ICMP with logging. This allowed all outbound traffic and inbound only what SPI would accept. Then I created a couple of force allow rules to accomodate my DHCP servers. I have a situation where I have 2 DHCP servers. The outgoing request goes out to one server, but the response comes back from another server. So I need a force allow rule for that response.