As far as I know, ntoskrnl.exe doesn't need to connect anywhere, at least if you're not sharing any files in a network.
However, it could be useful to allow ntoskrnl to IP address 0.0.0.0 only, in order to avoid duplicate IP addresses from DHCP server.
I've set my firewall to block all traffic in & out from lsass.exe, svchost.exe and ntoskrnl.exe, except ntoskrnl to 0.0.0.0 and svchost.exe to my router.