I see around 25 "Dropped outbound packet" due to it being denied each
boot, so allowing this will at the very least make the journal less
spammy (which is nice when analyzing WhisperBack reports). Maybe it
will also give the root user something useful.

In !1444 I investigated what these where about and "it's just a
bunch of lookups of IPv6 localhost (::1) and all interfaces' assigned
IPv4 addresses (including all the veth-* interfaces)". So it seems
safe to do this.