Unlike ingress ACLs, for egress ACLs you must specify either a source or destination address, instead of writing a rule with no match conditions.
For example, an ingress ACL deny all rule could be:
entry DenyAllIngress{
if {
} then {
deny;
}
}
The previous rule would not work as an egress ACL.
The following is an example of an egress ACL deny all rule:
entry DenyAllEgress{
if {
source-address 0.0.0.0/0;
} then {
deny;
}
}