On Wed, Feb 3, 2021 at 9:43 AM J Leslie Turriff <jlturriff@mail.com> wrote:
On 2021-02-02 23:02:06 Andrei Borzenkov wrote:
|03.02.2021 05:20, J Leslie Turriff пишет: |> I want to block network access for some programs. I found this suggestion |> |> https://serverfault.com/questions/550276/how-to-block-internet-access-to-cer... |> |> which seems to do what I want, but I can't see how to add the following rules using YaST Firewall: |> |> iptables -A OUTPUT -m owner --gid-owner no-internet -d 192.168.1.0/24 -j ACCEPT |> iptables -A OUTPUT -m owner --gid-owner no-internet -d 127.0.0.0/8 -j ACCEPT |> iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP |> |> I haven't looked at firewall settings for a long time, and now I find that YaST Firewall doesn't seem to allow any but generic controls (and a very confusing list of zones). |> What's the right way to do this? |> |> Leslie |> | |You expect us to magically guess what distribution and version you are |using? | Sorry; forgot to tell you all that I'm running OpenSuSE Leap 15.2.
If it was a new install of this version it defaults to using firewalld. YaST frontend only offers the most basic configuration, you will need to use native firewalld tools (firewall-cmd, firewall-config) or edit configuration files directly. As was already mentioned, you need direct rules that allow to add arbitrary iptables command lines. Something like (untested) firewall-cmd --direct --add-rule ipv4 filter OUTPUT 10 -m owner --gid-owner no-internet -d 192.168.1.0/24 -j ACCEPT read manual, watch out for --permanent flag and for rules priority.