Deny all is the default rule. It is implied at the end of the list of packet filter rules. Limewire uses ports in the 6300 range. It also however does use some in the 8080 range for gnutella host queries. I do agree with the idea of selectively allowing only certain services. Log all your ports is use during a given day and open the ones you can identify. Otherwise wait for your users complaints. Try 21, 25, 80, 110, 119, 443 to start with. There are a ton of thoughts on this. Everyone has their own take. Pick and choose those which best fit your needs.
Means of bypassing a firewall which only allows http traffic out are growing increasingly sophisticated: two apps allow essentially anyone to encapsulate traffic (which would have otherwise been blocked by the firewall) into http packets to an http-to-socks server out on the Internet. Users bypass any firewall that allows tcp connections to port 80 on the outside (which one is configured not to?).
The applications are Socks2http and HTTPTunnel.
You need to play hide-and-seek and watch where your http connections are going, blocking those to suspicious URLs (better done on the Web Proxy).
