A firewall with a configuration interface running on Electron, just like the horrid free AV solutions for Windows back in the day :) Can't be too critical of that because the developers have already expressed their dislike of Electron on the website, and it makes sense that they won't drop everything for a huge UI rewrite.
This entire thing seems incredibly polished, I'm surprised I haven't heard of this before. For every question and potential limitation for my use cases there seems to be an explanation on their FAQ. I'm definitely going to take this for a spin! Too bad there's no AUR package ready to go yet because I don't really want the burden of updating manually, but all in good time I suppose.
What kind of features of electron are you using in the UI?
If it's only http/websockets and the UI, you could try webkit2gtk or other alternatives. It's actually quite easy to build a gjs or Qt wrapper on Linux. WebKit(Legacy) from webkitgtk also builds on Windows.
I am currently in the process of making WebKit into a webview that only includes websockets as an API, so the long term goal is to have a minimalistic webview that doesnt have everything that a browser has. [1]
Maybe it makes sense to combine development efforts?
Please also publish a version that does not auto update. The aur package for google-chrome-stable does not allow in app updates, for I g the system to choose. This choice should not be taken away.
Here's my take on Electron and anything else resource-intensive: if your UI is either short-lived (like a configuration window) or the main thing you're using (like an IDE), I don't really care how much RAM or anything else it uses.
A firewall configuration windows falls in the first category - you only open it very occasionally and for not very long, so it doesn't really matter how heavy it is. Where Electron (or similar) is really bad are things like Discord, Slack, Spotify, Teams, etc. where you'll likely be running many of them all the time, while you're doing other things that need those resources.
For several years now, I've been an advocate for either "uninstalling" the default route on (most) hosts and/or switching to a default deny policy for outbound traffic, just like we all did for inbound traffic a long time ago.
I'll readily admit that the amount of work required in order to do this is HUGE and, of course, it isn't gonna happen overnight. Every time we have another one of these massive vulnerabilities that affects damn near everything and everybody, though, I think we get just a little bit closer.
Once some large company makes the decision to do it, then actually does it, then (at some point down the road) shares publicly how it totally saved their ass when $thing happened, maybe some CISOs will start to take notice and (eventually) follow suit.
As with IPv6, I remain hopeful that we'll get there at some point in my lifetime! Unfortunately, though, I'm sure it'll take a lot more "bad shit" happening first.
I'm assuming you're using a stateful packet filter when you're talking about this? Otherwise you'll break all kinds of stuff.
CISO's care about security but you'll find that most developers/users do not at all and its like pulling teeth to get anything done. It'd likely be better to get all developers basic security training and automated code vulnerability scanning tools.
I've worked in an environment where all the developers did basic security training, and I've worked (well, interned) in an environment where prod had a default-deny firewall for outbound traffic.
The latter was definitely a hell of a lot more trouble. The latter was also definitely a hell of a lot more secure - and not because I had tons of faith in the code.
That's what I did at my last role, and it was made infinitely easier because I was the first engineer and it was greenfield development.
Our backend used a combination of network policies to only allow outbound TCP connections to a handful of forward proxies, each of which was one simple, easy to verify nginx server that forwarded to https://saas.service.example.com.
And on days when we learned of new supply chain vulnerabilities, we didn't have a security incident.
Ooooo nice, I've been using Little Snitch for MacOS lately--it's been shocking how many things phone home, especially development tools. I installed Redhat's YAML extension for VS Code, and it was immediately trying to send a message home.
> I installed Redhat's YAML extension for VS Code, and it was immediately trying to send a message home.
this frustrates me so much! i have not touched vs code, which is otherwise a decent editor, for a while because of all these shenanigans with the extensions.
Can't recommend Little Snitch enough, been using it for 7-8 years now. Extremely useful to prevent any unencrypted connections on wifi you don't trust (which I also used to prevent unencrypted connections when I'm in countries with internet censorship) and for peace-of-mind that some random application won't try to exfil data.
Automatic switching between profiles based on connection type (wifi, different VPN servers, etc.) is cherry on the top.
Running LS is both amazing for what it does, and depressing for what you see.
As for the VSCode extension, do you have telemetry disabled in Code globally? The Red Hat extensions are supposed to respect that preference for any telemetry they send. If you're seeing otherwise, please file a bug if you can.
Yeah I did have it on before installing. I never inspected the actually message though, it could have been "just downloading schemas".
I already spent like like 5 hours discetting every message in Wireshark coming out of my computer a few months ago lmao. I setup TLS logging so I could look at encrypted traffic with SSLKEYLOGFILE.
Damn, looks like a nice free competitor to Glasswire which I'm currently using (which also has an extremely usable free option).
Like Glasswire though I'm guessing this doesn't alert on common traffic like DNS lookups via the host, which would still allow malicious software to get traffic in and out unseen.
The Portmaster actually handles DNS itself and will show you DNS queries in the UI. (Currently, only showing DNS queries that were _not_ served from cache.)
Also, Portmaster actually has it's own kernel module in Windows and sees more than Glasswire.
Portmaster sends queries over DNS-over-TLS to protect them and has (very) basic protection against data tunnels.
Yes, this is rather unfortunate. There are also some more "portmaster" things around, which were partly mentioned in an older HN thread.
We thought about a rebrand, but it's just way to expensive right now, as we are still bootstrapping.
I also don't think that there is an immediate issue, as both application domains and presence on operating systems don't interfere.
If you think otherwise, please share your thoughts!
This looks interesting, though it's not entirely clear how it works. The docs go relatively in depth into the code structure, but it doesn't do much else.
Looks like they implemented their own windows kernel driver [1] [2] for intercepting packets. And since I see BOTH domain names and applications that won't trust custom SSL CA in their website, I guess they get the domain name from the ssl handshake packets (sni) [3] which is in plaintext
We have SNI inspection in progress (currently on hold), but not yet live.
Currently, we just match the IP address to all resolved IPs of all domains and pick the most recent one. (The Portmaster handles DNS via DNS-over-TLS.)
With TLS1.3, the SNI will be encrypted, so this information will be "gone" for us anyway.
I prefer this to SimpleWall, but it's kind-of heavy (both the UI and the service) resource-wise - so I don't run it always, just after big Windows Updates to make sure they don't add new "phone home" "functionality". OSS is also a super nice plus.
We are trying to improve on this. Would be great if you could create a Github issue so we can have a look. You can also easily do this from within the UI.
Another day, another name collision; portmaster is also the name of a FreeBSD ports management utility that's been pretty widely-used for well over a decade now
This kind of feels like the people that were saying the package ‘node’ already existed, and therefore should not be replaced, since there were many people using it to do their aux audio input or something.
If it’s actually widely used then I’d have heard of it by now. My suspicion is that it’s widely used in a specific circle.
And, since about the mid-90s or so, "portmaster" was also the name of a series of hardware "appliances" (as we'd probably call them today) that were very widely used in the early days of the Internet [0].
CTO of Safing here.
Yes, this is rather unfortunate. There are also some more "portmaster" things around, which were partly mentioned in an older HN thread.
We thought about a rebrand, but it's just way to expensive right now, as we are still bootstrapping.
I also don't think that there is an immediate issue, as both application domains and presence on operating systems don't interfere. If you think otherwise, please share your thoughts!
> Country does not match with the country prefix for your phone number
Fishy.
And if you check country prefix with the list of country prefixes anyway... Why do you even bother with country AND prefix?
> The Portmaster actually handles DNS itself and will show you DNS queries in the UI
Yikes.
What about the DNS resolvers configured in the system? Do you hijack/overwrite them? [0]
I use my own Unbound locally, how Portmaster would handle queries for NSs in the Unbound config which are unknown to the world - leak them?
How about QNAME minimization?
Where exactly Portmaster would send the DNS queries?
Actual kernel module on Windows so it really can do anything it wants and wouldn't be catched by the machine itself?
Yikes.
Overall, this is the product which could be useful for many users, but for me it's a hard no.
The "SPN" idea is interesting, but also raises the questions about who, where and how would control exit nodes.
> And if you check country prefix with the list of country prefixes anyway... Why do you even bother with country AND prefix?
For users subscribing to the SPN, we are required by law to pay taxes. In order to attribute an Internet user to a country you have to collect 2 of these 3 data points, and naturally they have to overlap.
- an IP address
- a country the user selects
- a phone prefix the user selects
Many tech companies collect all three, with the addition of collecting the full phone number instead of only the prefix.
We chose the approach we felt respected user privacy the most. We know the resulting UX with the phone prefix is uncommon, but thought it superior to storing your IP (which most companies do while hiding that fact away in the Terms of Service)
---
For the DNS implementation, we do have in depth docs talking about DNS integration. As a summary, local queries or not leaked. [0]
We are not too content with Cloudflare as the default. We opted for them since they were the fastest at a time when Portmaster itself had speed issues. A re-evaluate is probably due since a lot happened in the meantime. Thanks for this input, I took a note. Also, here is the context of that time if you are interested. [1]
---
And lastly, yes Portmaster deeply integrates into the OS via a kernel extension. Specifically, via the Windows Filtering Platform APIs [2] This means network packets can be intercepted. Just as browsers, who enforce DoH, manipulate network traffic, or VPN software.
I have difficulties seeing your concerns here. We document everything we do and that can be verified by inspecting the source code.
> We know the resulting UX with the phone prefix is uncommon
Sure it is. I've encountered this type of selection, but extremely rare.
Maybe add an (i) explaining why do you ask for the prefix? Could be a free bonus point for you for respecting the users privacy. Current link (i) just throws you to Wikipedia without explaining anything. This is pretty confusing.
> local queries or not leaked
For the well known zones (listed on that page) sure. I'm talking about any other named zone. Eg I would have a split-brain DNS with only a handful of A records on the public side, while a lot more on the internal side (accessible through VPN, for example). If I understand from your blog [0] you would intercept and reroute this query to the DNS servers configured in the Portmaster. Which not only would leak the internal names but explicitly break the resolving, because it would be performed from the public Internet.
Also reading further the only place where the /behaviour/ is somewhat explained is the end of DNS configuration article [1] It is not a good marker what I needed to deep-dive in the multiple docs and blog articles to find out how exactly you iteract with DNS.
And also knowing what you outright disabled 'dnscache' on Windows machines before... Means you have a pretty perverse understanding on how things can and should be done. And for me it would be another hard 'no' for using your product - you are thinking you know better than me or even guys from Redmond.
> I have difficulties seeing your concerns here
> Just as browsers
Excuse me? My browsers doesn't install WFP filters to 'manipulate traffic'. FF can query DoH, but does it by running a user-mode code in the browser process.
Okay, now I have a way formulate my concerns:
Not only you do the things you shouldn't do (eg dnscache disablement); you are omitting how exactly your 'Secure DNS' works in your documentation (no, blogs are not documentation); you purposely skew your wordings on things you shouldn't (WFP filters for browsers?!).
I was pleasantly surprised that this is a Windows first application! I was scrolling through the page thinking "yet another lovely UI for a good problem to solve but surely this will be OSX" and then bam, Windows and Linux now, Mac coming later.
Ever since moving away from Mac about 8 years ago I've missed Little Snitch. I'll give this a try I think.
Pity about the name, those of us who were around when the internet took off out of it's original walled garden will likely remember a "portmaster" as one of the first affordable SLIP routers for those trying to create what were later called "ISPs"
Asking here as it is tangentially related, but is anyone aware of a way to route traffic on a specific port through a VPN while leaving other ports open? I have spent days looking for a solution to this and haven’t found any concrete answers. Hardware, software, anything.
Yes, that is possible but generally not natively in most applications and end-user operating systems.
Without native support, traffic control like that requires something like pf or iptables to managed the traffic you want to treat differently. This means something like an outbound firewall that does a different NAT or different route or different redirect (generally packet rewriting). If you want to scope it to more than just a port or IP (or a range of them) and be specific to an application, you'd be needing some type of socket filter which works at the socket level in the OS. Applications generally use sockets to interface with the network, and those sockets are provided by the OS and thus it can control the aspects of those.
Without those, you can also have a dedicated interface for the 'special' traffic.
Some applications allow you to specify an outgoing interface, for those you can have them use a specific interface and have a firewall rule that redirects that port. Others don't, and you'd have to encapsulate them in a namespace (i.e. a docker container) or VM which then 'creates' that dedicated interface your application would have to use. Then you can pipe that interface through your packet filter of choice and achieve the same thing.
Alternatively you can pipe all of the traffic of such a 'packaged' setup through your VPN. Since you'll only be running your application inside that configuration only it would be affected.
Today, when I find myself in a scenario where I need some of this, I either have created a situation that is problematic to begin with (i.e. trying something silly that shouldn't be done in the first place) or I'm trying to simulate something like a L2 protocol over an L3 VPN for remote debugging. I've found that everything in the first category generally is a waste of time to work with anyway.
I did something similar with docker. I ran both OpenVPN client and SSH client inside a docker, so only the SSH client would be affected by the OpenVPN controlling the container network. And by telling the SSH client to port forward, and by exposing the same port forward from the docker to the local computer, I could use it to travel through the VPN while all other ports on the local computer were unaffected.
According to your README you require NET_ADMIN permissions and you are mapping the host /dev/net/tun into the container. Doesn’t this mean you are affecting the host network as well? Sorry not super familiar with Docker’s security model
Seeing it I remember a firewall management gui that was one of the first easy and simple “firestarter”, sadly it was discontinued time ago, before Ubuntu release their “ufw”, which was very similar.
Seems promising this tool.
Thank you so much for both being open about your monetization strategy (which seems reasonable to me) and having a well written, easily found privacy policy!
It's too bad that Black Ice firewall doesn't work on modern windows OS. It was lightyears ahead of Portmaster's design and functionality even back in the late 90s (at least until IBM bought and ruined it). It seems like it's impossible for software to be self contained these days.
right, I used to have a firewall that could whitelist apps in the 90s on Windows (can't remember the name)... iptables can't even do that as far as I know... but there is https://github.com/evilsocket/opensnitch that I still need to try (I no longer use Windows).
We have not investigated too much into this topic - but from what we know it would probably be easier to implement a bandwidth cap than monitoring the bandwidth.
And from a priority perspective it is likely to take a while until we get to these topics, our focus lays elsewhere at the moment.
It is a common "failure mode" of Electron apps, I can't use VSCode on my secondary monitor (FullHD) because everything works fine except it. I think it ignores subpixel rendering from the system.
You can try to catch the screenshots at some extra large resolution and properly downscale them with maybe a little sharpening.
Looks great. One issue to note is that it's not supported in MacOS. I wonder if this is due to the MacOS API sandboxing changes that occurred recently?
Correct. We were already investigating how to do it when Apple announced that they will ditch their kernel extensions. We then put it on hold to wait for the changes. Been on hold since, because of resource focus to get it out already. ;)
Unfortunately that would not make sense, as the Portmaster needs to access many OS interfaces in order to integrate correctly. Dockers job is pretty much to remove access to these.
However, the systemd service actually uses restrictions as far as possible.
A firewall with a configuration interface running on Electron, just like the horrid free AV solutions for Windows back in the day :) Can't be too critical of that because the developers have already expressed their dislike of Electron on the website, and it makes sense that they won't drop everything for a huge UI rewrite.
This entire thing seems incredibly polished, I'm surprised I haven't heard of this before. For every question and potential limitation for my use cases there seems to be an explanation on their FAQ. I'm definitely going to take this for a spin! Too bad there's no AUR package ready to go yet because I don't really want the burden of updating manually, but all in good time I suppose.
CTO of Safing here.
Yes, we dislike Electron and tried another route before switching to it. We have our hopes up for the new Microsoft Edge WebView2, which I hope to evaluate soon: https://developer.microsoft.com/en-us/microsoft-edge/webview...
The Portmaster updates itself automatically, and you can use the PKGBUILD for installation until we start publishing it to the AUR near-term.
What kind of features of electron are you using in the UI?
If it's only http/websockets and the UI, you could try webkit2gtk or other alternatives. It's actually quite easy to build a gjs or Qt wrapper on Linux. WebKit(Legacy) from webkitgtk also builds on Windows.
I am currently in the process of making WebKit into a webview that only includes websockets as an API, so the long term goal is to have a minimalistic webview that doesnt have everything that a browser has. [1]
Maybe it makes sense to combine development efforts?
[1] https://github.com/tholian-network/retrokit
3 replies →
Please also publish a version that does not auto update. The aur package for google-chrome-stable does not allow in app updates, for I g the system to choose. This choice should not be taken away.
1 reply →
Here's my take on Electron and anything else resource-intensive: if your UI is either short-lived (like a configuration window) or the main thing you're using (like an IDE), I don't really care how much RAM or anything else it uses.
A firewall configuration windows falls in the first category - you only open it very occasionally and for not very long, so it doesn't really matter how heavy it is. Where Electron (or similar) is really bad are things like Discord, Slack, Spotify, Teams, etc. where you'll likely be running many of them all the time, while you're doing other things that need those resources.
A surprisingly large amount of AV software is actually built on Sciter
No AUR package yet it seems, but a PKGBUILD is already provided so I would assume it is not too much of hassle to take it for spin: https://docs.safing.io/portmaster/install/linux#arch-linux
AUR is incoming!
For several years now, I've been an advocate for either "uninstalling" the default route on (most) hosts and/or switching to a default deny policy for outbound traffic, just like we all did for inbound traffic a long time ago.
I'll readily admit that the amount of work required in order to do this is HUGE and, of course, it isn't gonna happen overnight. Every time we have another one of these massive vulnerabilities that affects damn near everything and everybody, though, I think we get just a little bit closer.
Once some large company makes the decision to do it, then actually does it, then (at some point down the road) shares publicly how it totally saved their ass when $thing happened, maybe some CISOs will start to take notice and (eventually) follow suit.
As with IPv6, I remain hopeful that we'll get there at some point in my lifetime! Unfortunately, though, I'm sure it'll take a lot more "bad shit" happening first.
I'm assuming you're using a stateful packet filter when you're talking about this? Otherwise you'll break all kinds of stuff.
CISO's care about security but you'll find that most developers/users do not at all and its like pulling teeth to get anything done. It'd likely be better to get all developers basic security training and automated code vulnerability scanning tools.
I've worked in an environment where all the developers did basic security training, and I've worked (well, interned) in an environment where prod had a default-deny firewall for outbound traffic.
The latter was definitely a hell of a lot more trouble. The latter was also definitely a hell of a lot more secure - and not because I had tons of faith in the code.
1 reply →
That's what I did at my last role, and it was made infinitely easier because I was the first engineer and it was greenfield development.
Our backend used a combination of network policies to only allow outbound TCP connections to a handful of forward proxies, each of which was one simple, easy to verify nginx server that forwarded to https://saas.service.example.com.
And on days when we learned of new supply chain vulnerabilities, we didn't have a security incident.
I implemented this on a companies network in mid 2000's
all browser traffic went through extremely locked down secured proxy
all applications on the OS (bar browser) was routed to different set of proxies with only whitelisted IP addresses over VPNs/ leased lines/ MPLS
any data that tried to get out from a PC not in the above whitelist was flagged and investigated
You can do an outbound allow list with apps like Little Snitch.
Ooooo nice, I've been using Little Snitch for MacOS lately--it's been shocking how many things phone home, especially development tools. I installed Redhat's YAML extension for VS Code, and it was immediately trying to send a message home.
Also there's OpenSnitch for Linux, available here:
https://github.com/evilsocket/opensnitch
I don't use it all the time but it is occasionally useful (or just satisfies my curiosity about what's phoning home)
Lulu - https://objective-see.com/products/lulu.html - is a great free alternative to Little Snitch.
Open source for good measure: https://github.com/objective-see/LuLu
i dont think lulu is an alternative, it is a rather small subset of features of what LS can do.
1 reply →
> I installed Redhat's YAML extension for VS Code, and it was immediately trying to send a message home.
this frustrates me so much! i have not touched vs code, which is otherwise a decent editor, for a while because of all these shenanigans with the extensions.
Can't recommend Little Snitch enough, been using it for 7-8 years now. Extremely useful to prevent any unencrypted connections on wifi you don't trust (which I also used to prevent unencrypted connections when I'm in countries with internet censorship) and for peace-of-mind that some random application won't try to exfil data.
Automatic switching between profiles based on connection type (wifi, different VPN servers, etc.) is cherry on the top.
Running LS is both amazing for what it does, and depressing for what you see.
As for the VSCode extension, do you have telemetry disabled in Code globally? The Red Hat extensions are supposed to respect that preference for any telemetry they send. If you're seeing otherwise, please file a bug if you can.
Yeah I did have it on before installing. I never inspected the actually message though, it could have been "just downloading schemas".
I already spent like like 5 hours discetting every message in Wireshark coming out of my computer a few months ago lmao. I setup TLS logging so I could look at encrypted traffic with SSLKEYLOGFILE.
iftop is a Linux command line tool to list network connections.
https://www.tecmint.com/iftop-linux-network-bandwidth-monito...
Of course it has no firewall.
On this topic, is there a way to disable network access per VS Code extension? The vast majority have no business accessing the internet.
AGPL, multi-platform, beautiful UI, non-trivial network monitor and firewall... haven't used it but congrats!
They're also very transparent [0] which is awesome. I know the developers, who are great as well.
[0] https://safing.io/ownership/
Could you please ask them to stop doing silly things like distributing an installer that then goes and downloads the actual installer?
1 reply →
Damn, looks like a nice free competitor to Glasswire which I'm currently using (which also has an extremely usable free option).
Like Glasswire though I'm guessing this doesn't alert on common traffic like DNS lookups via the host, which would still allow malicious software to get traffic in and out unseen.
CTO of Safing here.
The Portmaster actually handles DNS itself and will show you DNS queries in the UI. (Currently, only showing DNS queries that were _not_ served from cache.)
Also, Portmaster actually has it's own kernel module in Windows and sees more than Glasswire.
Portmaster sends queries over DNS-over-TLS to protect them and has (very) basic protection against data tunnels.
Oh nice, that's more in-depth than what I'd expected. Great work.
Might want to rebrand since FreeBSD's "portmaster" has been in use for decades at this point.
https://cgit.freebsd.org/ports/tree/ports-mgmt/portmaster
CTO of Safing here.
Yes, this is rather unfortunate. There are also some more "portmaster" things around, which were partly mentioned in an older HN thread.
We thought about a rebrand, but it's just way to expensive right now, as we are still bootstrapping.
I also don't think that there is an immediate issue, as both application domains and presence on operating systems don't interfere. If you think otherwise, please share your thoughts!
AFAIK 'sed' is pretty easy to use :)
All kidding aside though, I do wonder how collisions like this happen/persist.
Also, if you port to support pf you'll probably need to rebrand for real.
1 reply →
This looks interesting, though it's not entirely clear how it works. The docs go relatively in depth into the code structure, but it doesn't do much else.
Looks like they implemented their own windows kernel driver [1] [2] for intercepting packets. And since I see BOTH domain names and applications that won't trust custom SSL CA in their website, I guess they get the domain name from the ssl handshake packets (sni) [3] which is in plaintext
[1] https://github.com/safing/portmaster/blob/22507e879be95c7b0f...
[2] https://github.com/safing/portmaster-windows-kext
[3] https://en.wikipedia.org/wiki/Server_Name_Indication
CTO of Safing here.
We have SNI inspection in progress (currently on hold), but not yet live. Currently, we just match the IP address to all resolved IPs of all domains and pick the most recent one. (The Portmaster handles DNS via DNS-over-TLS.)
With TLS1.3, the SNI will be encrypted, so this information will be "gone" for us anyway.
They could also just do a reverse DNS lookup on the IP (and then forward lookup to confirm it).
This would be less effective for sites run through CDNs (ex Cloudflare) though.
1 reply →
Hi, CTO of Safing here.
Can you explain what you expected? Maybe you can find a good exmaple. We really want to improve on this.
I prefer this to SimpleWall, but it's kind-of heavy (both the UI and the service) resource-wise - so I don't run it always, just after big Windows Updates to make sure they don't add new "phone home" "functionality". OSS is also a super nice plus.
CTO of Safing here.
We are trying to improve on this. Would be great if you could create a Github issue so we can have a look. You can also easily do this from within the UI.
Another day, another name collision; portmaster is also the name of a FreeBSD ports management utility that's been pretty widely-used for well over a decade now
This kind of feels like the people that were saying the package ‘node’ already existed, and therefore should not be replaced, since there were many people using it to do their aux audio input or something.
If it’s actually widely used then I’d have heard of it by now. My suspicion is that it’s widely used in a specific circle.
And, since about the mid-90s or so, "portmaster" was also the name of a series of hardware "appliances" (as we'd probably call them today) that were very widely used in the early days of the Internet [0].
--
[0]: http://portmasters.com
Having used both, I'd rather use the FreeBSD utilities :)
CTO of Safing here. Yes, this is rather unfortunate. There are also some more "portmaster" things around, which were partly mentioned in an older HN thread.
We thought about a rebrand, but it's just way to expensive right now, as we are still bootstrapping.
I also don't think that there is an immediate issue, as both application domains and presence on operating systems don't interfere. If you think otherwise, please share your thoughts!
They don’t even support FreeBSD. Its like saying United chemicals had name collision with United Airlines.
Correct, "portmaster" and "mergemaster" are widely used.
> Phone routing can't be blank
> Country does not match with the country prefix for your phone number
Fishy.
And if you check country prefix with the list of country prefixes anyway... Why do you even bother with country AND prefix?
> The Portmaster actually handles DNS itself and will show you DNS queries in the UI
Yikes. What about the DNS resolvers configured in the system? Do you hijack/overwrite them? [0] I use my own Unbound locally, how Portmaster would handle queries for NSs in the Unbound config which are unknown to the world - leak them? How about QNAME minimization? Where exactly Portmaster would send the DNS queries?
Actual kernel module on Windows so it really can do anything it wants and wouldn't be catched by the machine itself?
Yikes.
Overall, this is the product which could be useful for many users, but for me it's a hard no.
The "SPN" idea is interesting, but also raises the questions about who, where and how would control exit nodes.
[0] https://docs.safing.io/portmaster/settings#dns/nameservers says they are forwarding to Cloudflare by default. /Great/
> And if you check country prefix with the list of country prefixes anyway... Why do you even bother with country AND prefix?
For users subscribing to the SPN, we are required by law to pay taxes. In order to attribute an Internet user to a country you have to collect 2 of these 3 data points, and naturally they have to overlap.
- an IP address - a country the user selects - a phone prefix the user selects
Many tech companies collect all three, with the addition of collecting the full phone number instead of only the prefix.
We chose the approach we felt respected user privacy the most. We know the resulting UX with the phone prefix is uncommon, but thought it superior to storing your IP (which most companies do while hiding that fact away in the Terms of Service)
---
For the DNS implementation, we do have in depth docs talking about DNS integration. As a summary, local queries or not leaked. [0]
We are not too content with Cloudflare as the default. We opted for them since they were the fastest at a time when Portmaster itself had speed issues. A re-evaluate is probably due since a lot happened in the meantime. Thanks for this input, I took a note. Also, here is the context of that time if you are interested. [1]
---
And lastly, yes Portmaster deeply integrates into the OS via a kernel extension. Specifically, via the Windows Filtering Platform APIs [2] This means network packets can be intercepted. Just as browsers, who enforce DoH, manipulate network traffic, or VPN software.
I have difficulties seeing your concerns here. We document everything we do and that can be verified by inspecting the source code.
[0] https://docs.safing.io/portmaster/architecture/core-service/...
[1] https://safing.io/blog/2020/07/07/how-safing-selects-its-def...
[2] https://docs.microsoft.com/en-us/windows/win32/fwp/windows-f...
Thanks for the response.
> We know the resulting UX with the phone prefix is uncommon
Sure it is. I've encountered this type of selection, but extremely rare.
Maybe add an (i) explaining why do you ask for the prefix? Could be a free bonus point for you for respecting the users privacy. Current link (i) just throws you to Wikipedia without explaining anything. This is pretty confusing.
> local queries or not leaked
For the well known zones (listed on that page) sure. I'm talking about any other named zone. Eg I would have a split-brain DNS with only a handful of A records on the public side, while a lot more on the internal side (accessible through VPN, for example). If I understand from your blog [0] you would intercept and reroute this query to the DNS servers configured in the Portmaster. Which not only would leak the internal names but explicitly break the resolving, because it would be performed from the public Internet.
Also reading further the only place where the /behaviour/ is somewhat explained is the end of DNS configuration article [1] It is not a good marker what I needed to deep-dive in the multiple docs and blog articles to find out how exactly you iteract with DNS.
And also knowing what you outright disabled 'dnscache' on Windows machines before... Means you have a pretty perverse understanding on how things can and should be done. And for me it would be another hard 'no' for using your product - you are thinking you know better than me or even guys from Redmond.
> I have difficulties seeing your concerns here
> Just as browsers
Excuse me? My browsers doesn't install WFP filters to 'manipulate traffic'. FF can query DoH, but does it by running a user-mode code in the browser process.
Okay, now I have a way formulate my concerns:
Not only you do the things you shouldn't do (eg dnscache disablement); you are omitting how exactly your 'Secure DNS' works in your documentation (no, blogs are not documentation); you purposely skew your wordings on things you shouldn't (WFP filters for browsers?!).
[0] https://safing.io/blog/2021/03/23/attributing-dns-requests-o...
[1] https://docs.safing.io/portmaster/guides/dns-configuration#d...
2 replies →
I was pleasantly surprised that this is a Windows first application! I was scrolling through the page thinking "yet another lovely UI for a good problem to solve but surely this will be OSX" and then bam, Windows and Linux now, Mac coming later.
Ever since moving away from Mac about 8 years ago I've missed Little Snitch. I'll give this a try I think.
Pity about the name, those of us who were around when the internet took off out of it's original walled garden will likely remember a "portmaster" as one of the first affordable SLIP routers for those trying to create what were later called "ISPs"
Asking here as it is tangentially related, but is anyone aware of a way to route traffic on a specific port through a VPN while leaving other ports open? I have spent days looking for a solution to this and haven’t found any concrete answers. Hardware, software, anything.
Yes, that is possible but generally not natively in most applications and end-user operating systems.
Without native support, traffic control like that requires something like pf or iptables to managed the traffic you want to treat differently. This means something like an outbound firewall that does a different NAT or different route or different redirect (generally packet rewriting). If you want to scope it to more than just a port or IP (or a range of them) and be specific to an application, you'd be needing some type of socket filter which works at the socket level in the OS. Applications generally use sockets to interface with the network, and those sockets are provided by the OS and thus it can control the aspects of those.
Without those, you can also have a dedicated interface for the 'special' traffic. Some applications allow you to specify an outgoing interface, for those you can have them use a specific interface and have a firewall rule that redirects that port. Others don't, and you'd have to encapsulate them in a namespace (i.e. a docker container) or VM which then 'creates' that dedicated interface your application would have to use. Then you can pipe that interface through your packet filter of choice and achieve the same thing.
Alternatively you can pipe all of the traffic of such a 'packaged' setup through your VPN. Since you'll only be running your application inside that configuration only it would be affected.
Today, when I find myself in a scenario where I need some of this, I either have created a situation that is problematic to begin with (i.e. trying something silly that shouldn't be done in the first place) or I'm trying to simulate something like a L2 protocol over an L3 VPN for remote debugging. I've found that everything in the first category generally is a waste of time to work with anyway.
For your first suggestion, the outbound firewall, is there an easy way of doing this on a Raspberry Pi?
1 reply →
I did something similar with docker. I ran both OpenVPN client and SSH client inside a docker, so only the SSH client would be affected by the OpenVPN controlling the container network. And by telling the SSH client to port forward, and by exposing the same port forward from the docker to the local computer, I could use it to travel through the VPN while all other ports on the local computer were unaffected.
Here is my code for reference: https://github.com/yonixw/ssh-vpn-docker
According to your README you require NET_ADMIN permissions and you are mapping the host /dev/net/tun into the container. Doesn’t this mean you are affecting the host network as well? Sorry not super familiar with Docker’s security model
1 reply →
This is all about routing, and thus, OS specific.
On Linux, you can mark packets, and use multirouting I'd think.
Are you trying to forward traffic received on that port over a VPN?
I believe so. I want traffic from one application to go over a VPN and other traffic to go over the public internet.
4 replies →
Seeing it I remember a firewall management gui that was one of the first easy and simple “firestarter”, sadly it was discontinued time ago, before Ubuntu release their “ufw”, which was very similar. Seems promising this tool.
Thank you so much for both being open about your monetization strategy (which seems reasonable to me) and having a well written, easily found privacy policy!
Thanks for the feedback!
It's too bad that Black Ice firewall doesn't work on modern windows OS. It was lightyears ahead of Portmaster's design and functionality even back in the late 90s (at least until IBM bought and ruined it). It seems like it's impossible for software to be self contained these days.
Clearly BlackICE was just far too cool a product name for IBM to handle.
right, I used to have a firewall that could whitelist apps in the 90s on Windows (can't remember the name)... iptables can't even do that as far as I know... but there is https://github.com/evilsocket/opensnitch that I still need to try (I no longer use Windows).
Nowadays I use TinyWall[1] on Windows. A simple firewall with a whitelist and some convenience functions.
[1] https://tinywall.pados.hu/
ZoneAlarm? Was in my default set of programs to install in the XP era.
Any plans to introduce the ability to control/limit bandwidth (per-app)? Something like that would be a great feature to have in an open-source tool.
relevant GitHub issue [0]
We have not investigated too much into this topic - but from what we know it would probably be easier to implement a bandwidth cap than monitoring the bandwidth.
And from a priority perspective it is likely to take a while until we get to these topics, our focus lays elsewhere at the moment.
[0] https://github.com/safing/portmaster/issues/382
OT: text on the screenshots is blurry and it's a pain to read :/.
Thanks for the feedback, will forward.
It is a common "failure mode" of Electron apps, I can't use VSCode on my secondary monitor (FullHD) because everything works fine except it. I think it ignores subpixel rendering from the system.
You can try to catch the screenshots at some extra large resolution and properly downscale them with maybe a little sharpening.
> MACOS (NOT SUPPORTED)
So folks what are the good MacOS alternatives currently?
You may want to look at Little Snitch https://www.obdev.at/products/littlesnitch/index.html
I've been a happy user for many years, now.
It's not free, though.
Looks great. One issue to note is that it's not supported in MacOS. I wonder if this is due to the MacOS API sandboxing changes that occurred recently?
I suspect they just haven't gotten to it yet - the FAQ says Mac and mobile support is planned.
Correct. We were already investigating how to do it when Apple announced that they will ditch their kernel extensions. We then put it on hold to wait for the changes. Been on hold since, because of resource focus to get it out already. ;)
I’ve been checking the roadmap monthly for a year or two at this point regarding MacOS support. Any inkling of when it will be supported?
2 replies →
Little snitch do it on MacOS but probably it takes a lot of effort.
Curious if this can help with hardware backdoors. This probably uses OS APIs which a sophisticated spyware would maybe work around?
I'm already using Malwarebytes WFC, and I don't care for the ad filtering. Is there any reason I should switch?
I wonder how this compares to the Binisoft Windows Firewall Control wrapper. Is the included firewall in Windows any good?
Minor item on your alpha notification: It's spelled "hiccup", not "hickup".
thanks! just changed it [0]
[0]: https://github.com/safing/web/commit/24869b756d4c90aff884383...
This would be more useful if it could run in docker with a web client
Hi, CTO of Safing here.
Unfortunately that would not make sense, as the Portmaster needs to access many OS interfaces in order to integrate correctly. Dockers job is pretty much to remove access to these.
However, the systemd service actually uses restrictions as far as possible.
A headless web client in general then. Seems to only be electron from what I can see
1 reply →
This is amazing
> I wish titles would indicate "for Windows" or something like that. Useless article for non-windows-users.
It also works with Ubuntu and Fedora, so not sure where you got the windows-only impression