no firewall even those in the fwtk legacy or network guards can prevent trusted applications from sending undesired or unauthorized data. if the formatting of every single packet is defined in a manner so draconian to be no longer useful in general purpose environments covert channels still exist.

firewalls are not the appropriate choice to protect these vectors. a strong change control policy must be in place on internal systems. the firewall must be limited in scope to moderating network access and filtering outbound content for signs of remotely compromised services/daemons. more tasks will overload the firewall and play away from its strengths.

i disagree with the idea that no preventative measures are available. prevention of unauthorized disclosure alteration and even some instances of destruction is the primary use of access controls. access controls are limited by their technical nature and are useless if not supported by strong organizational policy or for the home user a little self-education and simple caution.