Yep, if malicious software gets installed, no firewall or anything else would help.
I know Windows firewalls (at least the good ones) can specify not only port, but also application, and say "the browser can go out to port 80, any other app can't". And so on. This isn't easy to do on Linux or Unix. It wouldn't be that useful either, even if iptables could do it, because on Windows it's much more common that every application do their input/output directly, while on *nix you can often just communicate through the daemon or service that usually handles that kind of traffic (e.g. for sending email you almost never try to send data directly on port 25, instead you use the sendmail (or equivalent) program)). Out of the box there's almost nothing listening to any TCP/IP or UDP port on the NIT, so someone breaking their way into your NIT isn't much of an issue. However, if you install something that happens to be a trojan there's very little you can do to avoid it doing whatever harm it wants. This is such a serious situation that the only thing that helps is "don't do that". On any platform.