"SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table." (ib., 2019-07-16)
Cf. https://wiki.archlinux.org/index.php/Firejail
"firewall builder for Linux ... easy to use, audit, and understand. It allows you to create very readable configurations even for complex stateful firewalls. ... Sanewall is a fork of FireHOL."
"Transparent proxy server that works as a poor man's VPN. Forwards over ssh. Doesn't require admin. Works with Linux and MacOS. Supports DNS tunneling."
Up-to-date list of ad server hostnames and IP addresses in various formats
Configuration changes unfortunately require re-compilation, otherwise neat.