Unlike ingress ACLs, for egress ACLs you must specify either a source or destination address, instead of writing a rule with no match conditions.
For example, an ingress ACL deny all rule could be:
entry DenyAllIngress{ if { } then { deny; } }
The previous rule would not work as an egress ACL.
The following is an example of an egress ACL deny all rule:
entry DenyAllEgress{ if { source-address 0.0.0.0/0; } then { deny; } }