Firewall setting for a specific program, not based on IP/Port

[peng_u]

Hello everyone,

May I ask how can I setup the firewall in OpenSUSE 15.x to limit/ban the internet connection (outgoing bandwidth) for a specific program?

Like Windows Firewall or ESET Nod32 Firewall, they can set firewall rules based on program not based on IP/port, which is pretty convenient for desktop user.

I know we can use firewall-cmd to limit the internet connection for a specif zone which is assigned to a specific internet surface (z.B wlan0 in my laptop). Or use iptables to open or limit some specific ports or IPs. But these are convenient for server environment.

Thank you guys!

[peng_u]

After having tried a lot of solutions from the internet.

I do it in this way: Block all internet outgoing bandwidth, but only allow it for process with specific gid, for example 'haveinternet' in below example.

Code:

sudo groupadd haveinternet
usermod -a -G haveinternet username

Code:

sudo firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -m owner --gid-owner haveinternet -j ACCEPT
sudo firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p tcp --dport 53 -j ACCEPT
sudo firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p udp --dport 53 -j ACCEPT
sudo firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 2 -j DROP
sudo firewall-cmd --reload

And then have a test:

Code:

sg haveinternet -c 'id'
sg haveinternet -c 'firefox'
sg haveinternet -c 'ping google.com'

Welcome everyone's comments.