Se você é o administrador do sistema, você pode usar iptables
(como root) para bloquear certos comandos de acessar certas portas, ou (a seu critério) todas portas (o que é equivalente a isso sendo totalmente incapaz de acessar a rede).
Uma boa referência é aqui , mas o ponto importante é:
If your kernel was compiled with CONFIG_IP_NF_MATCH_OWNER then you can configure your iptables firewall to allow or reject packets on a per-command basis.
The following example shows how to drop all outgoing packets from the acroread command:
iptables -A OUTPUT -m owner --cmd-owner acroread -j DROP
The owner module allows several different options to be used to match, allowing either matching against a process ID, a user ID, or a command name.
--uid-owner userid
Matches if the packet was created by a process with the given effective user id--gid-owner userid
Matches if the packet was created by a process with the given effective group id--pid-id processid
Matches if the packet was created by a process with the given process id--cmd-owner name
Matches if the packet was created by a process with the given command name.The "owner" module only allows matches on the OUTPUT chain, which lowers its usefulness a little - but if you're in a standard NAT situation it should be sufficient.