Fedora 21 and its Workstation firewall

The (an!) other possibility would be that apps declare their desired ports, and either on installation, or execution (up to the user, either way could be chosen, IDK which) the firewall just allows access to known, "officially" installed apps.

(Open)SuSE kinda has this with /etc/sysconfig/SuSEfirewall2.d/services/[thingy] files; it could be metadata in RPM itself. Java has its java.[policy|security] stuff as well. Yeah, Java. But not conceptually bad. iStuff and Android implements the same general concept (beyond firewall): the developer declares the needed security elevation, and the user says yes or no.

Fedora so much as *asking* the question of "system firewall: yes/no", be it to themselves or to end uses is frightening.