Firewall setting for a specific program, not based on IP/Port

peng_u · August 20, 2019, 12:46pm

Hello everyone,

May I ask how can I setup the firewall in OpenSUSE 15.x to limit/ban the internet connection (outgoing bandwidth) for a specific program?

Like Windows Firewall or ESET Nod32 Firewall, they can set firewall rules based on program not based on IP/port, which is pretty convenient for desktop user.

I know we can use firewall-cmd to limit the internet connection for a specif zone which is assigned to a specific internet surface (z.B wlan0 in my laptop). Or use iptables to open or limit some specific ports or IPs. But these are convenient for server environment.

Thank you guys!

peng_u · September 1, 2019, 2:50pm

After having tried a lot of solutions from the internet.

I do it in this way: Block all internet outgoing bandwidth, but only allow it for process with specific gid, for example ‘haveinternet’ in below example.

sudo groupadd haveinternet
usermod -a -G haveinternet username

sudo firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -m owner --gid-owner haveinternet -j ACCEPT
sudo firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p tcp --dport 53 -j ACCEPT
sudo firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p udp --dport 53 -j ACCEPT
sudo firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 2 -j DROP
sudo firewall-cmd --reload

And then have a test:

sg haveinternet -c 'id'
sg haveinternet -c 'firefox'
sg haveinternet -c 'ping google.com'

Welcome everyone’s comments.