Results 1 to 2 of 2

Thread: Firewall setting for a specific program, not based on IP/Port

  1. #1

    Default Firewall setting for a specific program, not based on IP/Port

    Hello everyone,

    May I ask how can I setup the firewall in OpenSUSE 15.x to limit/ban the internet connection (outgoing bandwidth) for a specific program?

    Like Windows Firewall or ESET Nod32 Firewall, they can set firewall rules based on program not based on IP/port, which is pretty convenient for desktop user.

    I know we can use firewall-cmd to limit the internet connection for a specif zone which is assigned to a specific internet surface (z.B wlan0 in my laptop). Or use iptables to open or limit some specific ports or IPs. But these are convenient for server environment.

    Thank you guys!

  2. #2

    Cool Re: Firewall setting for a specific program, not based on IP/Port

    After having tried a lot of solutions from the internet.

    I do it in this way: Block all internet outgoing bandwidth, but only allow it for process with specific gid, for example 'haveinternet' in below example.

    Code:
    sudo groupadd haveinternet
    usermod -a -G haveinternet username
    Code:
    sudo firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -m owner --gid-owner haveinternet -j ACCEPT
    sudo firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p tcp --dport 53 -j ACCEPT
    sudo firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p udp --dport 53 -j ACCEPT
    sudo firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 2 -j DROP
    sudo firewall-cmd --reload
    And then have a test:
    Code:
    sg haveinternet -c 'id'
    sg haveinternet -c 'firefox'
    sg haveinternet -c 'ping google.com'
    Welcome everyone's comments.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •