I fail to see your point. Either you do not wish for some programs to start outbound connections, in which case configure them not to, or you do wish them to start connections in which case you'd set your firewall to allow them anyway.

without a firewall, how would you configure network access for a (possibly evil) program that isn't currently installed on your system??

Quote:

or you do wish them to start connections in which case you'd set your firewall to allow them anyway

yes, but ONLY them... by not using the firewall you are essentially allowing everything to go through, whether or not it's traffic that you consider neccesary for your box's purpose...

without a firewall you have no centralized way of limiting network access for programs, and no way at all to limit ones that aren't installed on your system at the current time... this includes SPYWARE and TROJANS...

here's some simple/stupid examples of what i mean:

INCOMING: let's say you have apache and vsftpd running on your box... so using your method, you'd make sure that those two are the only daemons running... you scan your box and you make sure every port except 21/tcp and 80/tcp is closed... okay... so here comes regular user joe and he logs-into the box to work, but he's bored (or whatever) and so with a couple mouse clicks he installs a proxy server on your box (either on purpose or by accident - that's beside the point) and has it listening on 3128/tcp... see how easy that was?? he didn't have to do anything else (not even become root) and HE had a daemon listening on YOUR box (>1024/tcp)... so now you have your firewall-less box not only doing web and ftp, but also doing who knows what kinda proxying for who knows who... the bandwidth-stealing possibilities for the script kiddies will be endless... in no time your box could be serving-up kiddie pr0n to the web and hosting a mirror for some script kiddie's customized knoppix cd... if you would have had a simple firewall (allowing only 80/tcp and 21/tcp), something as simple as:
then even though your web and ftp servers would be able to listen on the network, user joe wouldn't have been able to make his proxy or trojan or whatever listen on the network (unless he would find a way to gain superuser powers and alter the firewall's rules)...

OUTGOING: let's say it's the box you installed for grandma... she just uses it (for example) to surf webmd.com and to check hotmail.com... the thing is one day she gets an evil executable in her mailbox... of course grandma doesn't even know what an executable is... well she clicks the bastard and guess what, an ftp session is initiated with some script kiddie's ftp server and all of grandma's documents are uploaded to it... so now grandma's privacy has been completely obliterated - all because you didn't wanna install a firewall for her... of course this is obvioulsy just a ridiculous example (just enough to make a point), but since she only used webmd.com and hotmail.com you could have easily used a firewall to restrict outgoing traffic to 80/tcp and 443/tcp, which would have prevented the evil executable from starting an ftp session and sending grandma's docs over the internet:
or if was a NAT firewall on a LAN it might look something like:
with those simple rules above i could also give a port-scan example... like, without a firewall any user could start port-scanning someone's server from your IP... they could sit there and portscan nsa.gov all day without your consent, for example... and the firewall logs at nsa.gov will show YOUR IP as the source of the scans... so when you come back home from work you find the men in black taking your computer away and your son/daughter is like "ummm... sorry dad..."... if you would have used the simple/stupid firewall rules above your son/daughter's port-scan would have never worked - even though they would still have been able to surf the web in peace...

My point was regards a desktop linux box, and so you see the problem comes down to users doing stupid things like running malicious email attachments that target linux(who gets these?), or deliberately running e.g. a proxy server. However as you state then a normal firewall should prevent such activites. But normally on a desktop linux box if you trust your currently installed software and keep it patched you have a severly reduced need for the firewall.

in this case i don't see it that way... i see the problem comes down to system adminstrators doing very stupid things (like not using a firewall) and hence not having that extra layer of security when the users do their stupid things...

by not using a firewall the sysadmin is basically saying: "hey go ahead and make any daemon you want listen on a non-root port, no problem"... or even worse: "go ahead and send any type of packets you want out to the external network, i don't care"...

Quote:

But normally on a desktop linux box if you trust your currently installed software and keep it patched you have a severly reduced need for the firewall.

where on earth did you get THAT idea???... using trusted software and keeping your software updated has absoloutely nothing to do with configuring network access... maybe you could explain how the situation in my hypothetical examples would have been avoided by having "trusted" and "patched" software installed without a firewall in place, cuz AFAIK: IT WOULDN'T HAVE...