Any connects from ports below 1024 are highly suspect for being reflection attacks so above I block them all.

Another good trick is to block all outgoing connects to port 80 - this makes it quite inconvenient for a virus to download its payload. In fact, block all outgoing connects, and allow only what YOU want to do.