>>54605598
start with a "block all" rule and go from there

if you really want your progs to accept any port you should set up a DMZ to redirect incoming connections to transient ports 49512-65536 on the LAN

it's really retarded to configure a firewall with "app X can do anything" and may not be possible in iptables

>>54605676
Shieeet, bit too advanced for me my nigga, or maybe not, like what would i have to specifically whitelist in order for a browser, torrent client, and the package manager to just werk while errything else gets fukken dropped.

And i might have misspoke in the OP, by >do anything i meant just work normally, not have access to any port or stuff like that.

>>54605739
whitelist all outgoing traffic and ur apps will work

the config will look like:

block in all
allow out all

a DMZ is simply a machine connected to the internet running a firewall. it's useful if you want 1 computer to be your point man on the net, and have him pass messages to little guys in yr apartment (if you want to ssh into yr laptop for example).

the DMZ says "here i am, this is for you." the shell server says "tanks, here's my response" and the DMZ passes it along as his own

someone else wants to exploit yr FTP server but the DMZ does not accept port 21 even if you have an FTP server running in the house. he says "sorry guy, i don't take FTP" and th guy doesn't know you even have a FTP server running on port faggot

>>54606058
DMZ is not a machine, DMZ is a zone ( demilitarized zone ) what it actually means.
DMZ is usually used for organizing & security.
Usually DMZ can only see other things in the DMZ and not outside ( this can be on different subnets or vlans but also possible on the same subnet )

Sounds like you want a SOCKS proxy.

You can start programs with a wrapper to give them net access.

>>54606202
the DMZ between the koreas is really a line on a map but they enforce it with killing machines

anyway it is a thing you connect to en route to the LAN. my description assumes that OP is some guy whose "subnet" is a consumer router

wikipedia clears up the confusion. i mean this sense for this context

>Some home routers refer to a DMZ host. A home router DMZ host is a single address (e.g., IP address) on the internal network that has all traffic sent to it which is not otherwise forwarded to other LAN hosts. By definition this is not a true DMZ (demilitarized zone), since it alone does not separate the host from the internal network. That is, the DMZ host is able to connect to hosts on the internal network, whereas hosts within a real DMZ are prevented from connecting with the internal network by a firewall that separates them, unless the firewall permits the connection.

>>54605598
There isn't a way to filter off the process opening a socket with iptables that I know of. You can filter off the process's UID/GID, but that's about it, and that wouldn't really help since system package managers generally run as root.

This is something more in the domain of SELinux/AppArmor.

To accomplish purely the package management and no other access, you could put a package repo mirror/proxy/cache and restrict your node's access to anything but that mirror/proxy/cache.

>>54605598
>

use the owner match module to match the programs you want to allow (create a group and then chgrp the programs, or create copies in a restricted or chroot area), except for the updater, which would require identifying the destination hosts (repo server IP addresses).

just now I discovered that I can't run tcpdump on my fresh FreeBSD install, so I'll have to figure out if it's a driver thing (most probably), if it's a fixable issue (probably, hope so) and how to change that behaviour.
A bit annoying but I'll only learn from this, huh?

>>54610839

...are you running it as root?

>>54606344
what confusion?

A DMZ is a zone that has an open-connection to the internet and is separated from other computers so that they don't get compromised when the DMZ does.