File Permissions
Permission and ownership of files served by apache (any any other application) dictates what that application can and cannot read, write and execute. This is enforced on access to resources.
Firewalls
Firewalls control ingress and egress data between interfaces (commonly network interfaces) with defined access control lists to limit communication to trusted parties. This is enforced on transport inbound and outbound.
Apache Access Control
Apache access control is a finer grain control over resources being served. It also allows the finer grain delegation of permissions to apache and not relying on other system enforcement.
Examples
Example 1: I want to allow all users access to a wordpress site but i only want trusted IPs to access wp-admin.
In this case I would configure the below for the /wp-admin directory in the configuration (or in .htaccess file in the directory).
<Directory /wp-admin>
Order deny,allow
Deny from all
Allow from x.x.x.x
</Directory>
Example 2: I want to allow only members of a group to POST data to my website
I would configure apache with the following
<LIMIT POST>
AuthType Basic
AuthName "Posty Mc Post Face"
# Optional line:
AuthBasicProvider file
AuthUserFile "/usr/local/apache/passwd/passwords"
AuthGroupFile "/usr/local/apache/passwd/groups"
Require group canPostApacheGroup
</LIMIT>
Following Examples
Each of these examples have a firewall that is allowing traffic through to the apache and operating system permissions allowing apache to access resources on the operating system but now there is application specific configuration to limit actions a user can perform on the application.
