That's going to depend on your web application. Some applications need to do DNS lookups, or send mail. You would need to allow that traffic. Starting off with blocking everything is usually a good thing but you may need to open up things in order to make it work again.Is there particular reason not to pass out all initiated traffic?
su -l trusted -c mytrustedapp
FreeBSD doesn't have an application level firewall but you can kinda get round it by blocking all traffic apart from that by a specific user (i.e trusted) and then run i.esu -l trusted -c mytrustedapp
I had never heard of "trusted". Do you have a link for it in the documentation? I am having a hard time finding it.
su -l <username> -c <command>