Whitelisting apps access to internet?

my younger brother uses a tablet for his studies, i don't like him having access to full unrestricted internet.
atleast not without an adult around.

im quite new to openwrt and have very low understanding on working of firewall- traffic control and cli side of openwrt.

now as for my first experiment, i dropped all from lan<device.ip> to wan.
which blocked all internet access

now i would like to know how can i whitelist certain apps like whatsapp, skype and maybe youtube at som e point.
i also know that its all based on ip address of these services, but maybe these services change ip addresses from time to time.

since the tablet is already rooted, i can get ip address and port of apps somehow. or use wireshark externally

is there a better way to do all this?

"Unfortunately" in the age of ubiquitous HTTPS usage, few central cloud providers and the rise of encrypted DNS it becomes increasingly hard to filter application traffic on the IP layer using simple firewall rules.

The only proper solution is installing a transparent HTTP(S) proxy and preinstalling its SSL certificate authority on the client devices, then forcibly redirect all HTTP(S) traffic through that proxy.

This is a quite complex endeavour though and likely not something you're keen on doing as one of your OpenWrt projects.

A slightly less complex variant might be setting up a tinyproxy instance with a whitelist of known good domains, then only provide internet access through that proxy.

A simple solution not involving any complex OpenWrt configuration might be using OpenDNS filter capabilities, for that you only need to force any client DNS traffic through your router / directly to OpenDNS and hope that the clients do not do DNS over HTTPS or DNS over TLS.