Firewalls are a fundamentally bad approach and are avoidable with good design.

Nothing should have access to the network by default. You can either get that right by limiting resource access (which is the job of the operating system) or you can get it wrong and have to expose new APIs and hooks to invite an ecosystem of many, slightly different, complicated tools to configure network access.

To give access to the network, you spawn the process with a handle to the port it can listen on, or a handle to a dynamically allocated port that it can only dial out of. This is no more complicated than configuration, and it doesn't have to be difficult for users. It can bubble up to a GUI very similar to what the iPhone has for giving access to location, contacts list, etc.

The fact that most "security" people have a knee-jerk reaction to "firewall bad" is exactly the cultural problem that I'm talking about. It's not a technical problem anymore, the solutions are known, but they aren't widely known, and they aren't known by decision makers. We've become so used to the wrong way for so long that highly trained people reliably have bad taste.