Philip,
Thanks for pointing out that there are links above. I missed that.
The MS!=LNX blog was hilarious and very good in explaining that MS concepts need to be dropped and some ways of thinking need to be yanked.
I also read through the chapter 9 - linux firewall. Apart from the mechanics of the configuration, the packet processing rules were quite familiar to me.

brebs
This is exactly what happens, every time I updated chrome I was required to reconfigure the FW rules because it was recognized as a new application.

guys,
I still have a question un-answered.
If I allow IP traffic, -d 0/0 80 (any ip destination on port 80) can I configure the firewall in such a way that only say Firefox and Chrome are allowed to use this rule and all other applications are denied?

For me, that would be a big annoyance

What you can do is run apps forcing a particular group or user, and then the iptables rule can use that group/user as a filter, with --uid-owner and --gid-owner.

brebs,
Our needs and uses are different.

Thanks for the idea of using the user/group filter. Didn't know it existed.
I was thinking of defining an internet user for each user and then write a script that will run the browsers as the internet user.
This way even if the user goes to a malicious site, the damage is limited to the browser space, as it won;'t have access to the user space.
Still need to find a script that changes uid transparently. I'll solve this when I get to it.

Gaby - Turning the problem "upside-down", I obtained a possible solution by combining iptables rules, a proxy software like Squid and individual configuration of the browser I wanted to allow to the Internet. I did this by using a dedicated box for the firewall and proxy, while connecting from a separate machine on the internal net. I used iptables on the filtering box to drop everything coming to the internal interface, except hosts I wanted to allow on the port where the proxy was listening. Of course NAT rules allowing direct Internet access from the LAN were disabled. Then I configured the browser I wanted to use, by telling it to go through the proxy. This way all other applications were blocked by default. One might also restrict write permissions on configuration files, so that users will not manipulate them, and set user/group ownerships as brebs suggested. This configuration was very straightforward, but Squid has lots of options and allows for complex authentication rules which I didn't investigate, but seem interesting. I didn't check if this can be set up on a stand-alone machine as well.

Why not just sand box your browsers and use iptables for the rest of your needs?