To compensate for network latency during playing chess games over internet, internet chess servers like Fics and Icc use proprietary protocols called timeseal and timestamp. They distribute statically linked stripped binaries which acts like a bridge between chess clients and the chess server.

To make sure these tools don’t do anything nasty, I use sydbox to sandbox them. Sydboxmaster extends network whitelisting support for network mode deny. So I use it like:

    alip@harikalardiyari> cat ~/bin/timeseal
    #!/bin/sh

    SYDBOX_NO_CONFIG=1 \
    SYDBOX_NET_WHITELIST=inet://69.36.243.188:23 \
    sydbox -N -M deny -- \
    "$HOME"/bin/ics/timeseal.Linux-i386 69.36.243.188 23
    alip@harikalardiyari>

SYDBOX_NO_CONFIG makes sydbox not read its configuration file and SYDBOX_NET_WHITELIST adds the address, in this case freechess.org, to the network whitelist.

edit: Highlight code.