Yes firewalls, are kinda cool. Especially outbound access control can stop lots of attacks. The one thing that I would like to see in a firewall, is a way to stop apps from phoning home, without blocking them from network access completely. Yes this can already be done, but I'm talking about doing it out of the box. But, how would firewalls know if the outbound request is done by you (a person) or by the app itself?
This is an old discussion in the privacy community to say the least; especially when spyware was first discovered and defined. The issue then as it is now is not the ability to block what you want blocked within the rule sets, but with the user getting appropriate notice of the COSTS for using any given application (usually free or shareware). With a transparent understanding of the costs of using the program then comes an easier decision as to whether or not to even install and use the product in question. The point here being that if you think the costs of a specific application are too high without spending time and resources to configure and then test a specific set of rules for outbound communications, you should perhaps look for a different solution that may require paid licensing - the developer has to get paid one way or another and the best results with the highest all-around customer satisfaction comes with a paid relationship in general (yes there are exceptions).
@ Coldmoon Well, you're looking at it from a different point of view. Most apps will not phone-home if you disable the "auto-update" setting. But there are some apps (like browsers, video downloaders and instant messengers) that always need to be connected, so they can use this advantage to make outbound connections that you did not request or approve. The question is also: what exactly are they uploading from your machine? Maybe browser or chat history, and a list of downloaded files?
Well, when one considers that most AM/AV/AS scanners are always behind the curve due to the sheer volume of malware and pup content that gets released to the wild on a daily basis; having automatic updates makes sense even with the occasional risk of a bad signature getting into the mix. Where browsers are concerned, you should be able to shut off the automatic updates in the configurations. Where this might come back to bite you in the rear is when a vulnerability is discovered, then eventually fixed, the unaware user is at greater risk as it is usually a blue moon when they actually get around to checking for updates. If my experience here is any guide, this usually comes after I clean up a relative's system when they get infected by something... The video downloads are a trickier issue as it may involve DRM requirements with the specific media you are downloading and then eventually playing back. This is one of the costs I mentioned previously though it is more about control of the content than it is about getting paid for that content. Games are even worse when you have to be on-line to even use the software so buyer needs to beware here... Instant messengers would need to establish outbound connections unless you didn't intend to actually talk to someone using the applicable program. This is also a tricky case where the server you are connecting through may also be used for other communications that make the software useless in some cases if you block that specific connection in the rules. Your final question however is where the firewall and a sniffer comes in handy. I would encourage everyone to get familiar with their FW logs and learn how to read them after they have had a sufficient intake of coffee. In this scenario you would be investigating the comm and then perhaps writing a temporary blocking rule to help identify the offending application and then removing it if this type of cost is too high for your preferences. Remember, every rule you deploy is eventually going to cost you some performance; especially if that rule is not properly formatted and specifically targeted. What I have seen and been guilty of in the early years is writing something too broad that then starts mucking up things it should not with the added joy of troubleshooting - testing - rewriting - troubleshooting - etc.
What innovations? Firewalls are doing the same like 25 years ago, the only difference is, they added some partial protections against known attacks like DDoS and such. Implementing HIPS into a firewall (Comodo/Private Firewall), is not an innovation, that is symbiosis with a different product, which can be done using separate products.
Quite an extensive reply, but I now think I get what you're trying to say: it all comes down to trust. If you do not trust some app, don't use them. And yes, the only way to solve this problem is by making specific rules, like blocking apps from connecting to certain IP ranges. Perhaps it was a bit of a silly question, because I do not think that firewalls will ever be intelligent enough to distinguish between legitimate traffic and "phoning home" traffic. On the other hand, some advanced firewalls/HIPS are trying to spot suspicious traffic, in order to stop traffic to so called command-and-control (C&C) servers, which are used by malware/botnets.
You are right, firewalls are/becoming "Bloatware" A lot of nonsense adding AV and HIPS, with system corruption and slowdowns. Just want a basic firewall with out the extra crap. Can any of you big companies do that? I think not, worship the mighty $.