yes, i have been mistaken.
The "requested mask" is what the program wants.
yes that is other way than blocking application, that that i have seen was blocking by username with what the program runs, i do not know exactly :
I'm not sure what you mean by restricting an application with iptables though. ... but there's no way to use iptables to say "FreeSWAN may accept connections on port 9021 but not Transmission"
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
:loga - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp --dport 80 -j loga
-A loga -j ULOG
-A loga -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m owner --uid-owner www-data -j ULOG --ulog-prefix www
-A OUTPUT -m owner --uid-owner www-data -j DROP
-A OUTPUT -m owner --uid-owner root -j ACCEPT
-A OUTPUT -m owner --uid-owner daniel -j ACCEPT
-A OUTPUT -j ULOG --ulog-prefix egress