I never knew about that, thanks. I always believed one had to either resort to address/packet filtering at machine level or limit access to networking to a certain uid/gid, then running the software under those credentials. But that would defeat the purpose of allowing access while being warned about that, so that for example one could check if an application is really phoning home for innocuous updates or connecting to some shady addresses for unknown purposes.