User-space TCP/IP

You don't have a problem with firewall. Just as the socket connect, read and write calls for TCP/IP would be handled by a user-space library, the firewall would be as well.

If you do not trust your user-space for some reason, then the thing to do would be to force applications to communicate through a user-space daemon process. You would lose performance, just like forcing graphics apps to use the X server instead of direct rendering.

A separate piece of hardware for doing firewall is usually a better idea and if you care about performance enough, you would have one anyway.