Consumer firewall appliances frequently have a way to prevent connections to certain countries. However, desktop workstation OSes generally lack this. It’s easy to adapt NixOS to do this, so one can configure a machine to only connect to certain countries:

firewallByCountry = {
  enable = true;
  mode = "allowlist";
  countries = [
    "ar" # Argentina
    "uy" # Uruguay
    "br" # Brazil
    "cl" # Chile
    "es" # Spain
    "de" # Germany
    "ch" # Switzerland
  ];
};

I built this by using Claude and asking it to first create a NixOS VM test, and then make a module that makes the test pass. I published the module here: NixOS recipes. It can be used like this:

{
  inputs.recipes.url = "github:eordano/recipes";
  # ...
  outputs = _: {
    # ...
    # in nixosSystem:
    modules = [
      recipes.nixosModules.firewall-by-country
      {
        services.firewallByCountry = {
          enable = true;
          # ...
        };
      }
    ];
  };
}