A couple of suggestions from me (not complete solutions)...
1) It is possible to construct an iptables rule to drop all traffic apart from a given group (gid) such that palemoon could still access the internet. For example, create the group "internet-group" and iptables similar to the following...
Code:
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m owner --gid-owner internet-group -j ALLOW
You would need to execute palemoon with the sg command (or make a desktop shortcut)...
Code:
sg internet-group palemoon
2) Not application-specific, but just block all traffic except for web-traffic. For example...
Code:
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
3) Have look at using OpenSnitch (application-level firewall) in addition to your kernel-based firewall....
https://linuxsecurity.expert/tools/opensnitch/
https://itsfoss.com/opensnitch-firewall-linux/
https://www.linuxuprising.com/2018/0...plication.html