Good question:
For me, macports is the one.
Why? I'll bypass a lot of stuff and cut right to the chase:
The party is over with regard to malware, trojans and the like. Paging through the last security update, there were some vulns that were from the summer although the cure only came last week. Redownload the developer tools, recompile your macports install, and you have a functioning toolchain that is not dependent on Cupertino, since the Dev Tools from your install disk will serve. Who uses an old version of Openssh? Now it does take some care and feeding, like running port selfupdate every day, and the big tip is to check
port variants
so if you have a python dependency, you can run
port install python +no_tkinter
and avoid the agonizingly long Tk install, which would be most unwelcome on a Quartz architecture anyway.
With this, you can freely run software update and not have your stuff break, since it does not depend on anything but the compiler from apple. I've used it for a long time, and although I tried some others, namely Homebrew, I think that depending on apples versions means inheriting their security flaws. Remember that PDF hole on the iphone? I deploy on Linux anyway, so for me, macports tree is the 'office' and my budding MacOS dev career is 'home'
Just an opinion, but the separate tree for all the code is a big plus for me.
Please see the 2020 and 2021 edits below.
The original answer, unchanged:
What you are referring to as "the built-in" firewall is actually the built-in Application Firewall.
There two other built-in firewalls in OS X Lion, pf and ipfw (the latter is being replaced by pf, but still exist in Mountain Lion). These can handle both incoming and outgoing connections and are typically controlled through command line scripts and settings. However, there are third party GUIs for these firewalls, e.g. IceFloor (for pf); WaterRoof and NoobProof (for ipfw). All these GUIs are free.
There is also third party software that can work as firewall, but doesn't use the built-in OS X firewalls. Examples are Litte Snitch and Hands Off (both paid). These can handle both incoming and outgoing connections.
You should be aware that there is some learning curve for these pieces of software, as their settings are not as simplified as the built-in Application Firewall. Little Snitch or Hands Off could be easier to use compared to pf or ipfw or their GUIs.
2020, first edit: ipfw is not being used in the current versions of MacOS. New (since the original answer from 2013) frontend of pf is Murus firewall (has free version with basic functionality, but the more advanced versions are paid). New application firewall is Vallum (paid). Some kind of light hybrid combination of Murus and Vallum is Scudo. Hands Off! is available at a new site. Free application firewall for outgoing connections is LuLu. And of course, Litte Snitch is still available.
2020, second edit: As of macOS Big Sur, Apple apps can bypass the third party firewalls. There are some workarounds available, but these include disabling SIP (not recommended) or enabling kernel extensions that may be disabled during macOS updates.
2021 It seems that the firewall bypass in Big Sur will be removed in version 11.2 and third-party firewalls will be able to monitor and filter all of Apple's software.
Best Answer
The common answer is to setup a local proxy like squidman or cntlm, so your login/pass credentials are only stored in one place - and all of your CLI tools point at a local proxy:port.
You can also go to your network people (who think all your broken developer tools are a personal problem, not theirs) and point out that you're forced to hardcode your login and password (GASP!) not only all over your machine, your virtual machines, and even AWS instances...
And then it VERY MUCH becomes their problem. Auth proxies are so nineties!