[smashed]

> Do things e.g. pfSense support that already? "Hold" an outgoing connection from the moment the SYN is observed, notify whatever client, and only allow if the user clicks?

Not that I am aware of.

This is a desktop centric workflow where the user can react live to an application that is sending traffic.

Your typical network firewall will apply a set of static rules and the decision to log/reject/drop is done ASAP. Waiting for user input is impossible.

Some systems can show logs of recent blocked traffic, and allow an admin to quickly generate an exception/allow rule for blocked traffic but that's pretty much it.

[jerf]

With some work you could integrate the two; create an external box paired with an app on your source machine. When the source machine can see more info about the connection it can cooperate to pass it along to the middlebox, and if the middlebox sees something the source system has no idea about, well, that's useful info to annotate the network connection with.