A firewall with a configuration interface running on Electron, just like the horrid free AV solutions for Windows back in the day :) Can't be too critical of that because the developers have already expressed their dislike of Electron on the website, and it makes sense that they won't drop everything for a huge UI rewrite.
This entire thing seems incredibly polished, I'm surprised I haven't heard of this before. For every question and potential limitation for my use cases there seems to be an explanation on their FAQ. I'm definitely going to take this for a spin! Too bad there's no AUR package ready to go yet because I don't really want the burden of updating manually, but all in good time I suppose.
What kind of features of electron are you using in the UI?
If it's only http/websockets and the UI, you could try webkit2gtk or other alternatives. It's actually quite easy to build a gjs or Qt wrapper on Linux. WebKit(Legacy) from webkitgtk also builds on Windows.
I am currently in the process of making WebKit into a webview that only includes websockets as an API, so the long term goal is to have a minimalistic webview that doesnt have everything that a browser has. [1]
Maybe it makes sense to combine development efforts?
We mainly use http/websockets, but have also started using a feature that will give us the application icon of an executable on Windows.
We've previously used the webview lib [0] and we will look into it again, as they now support Microsoft's new Edge webview.
It's a C and Golang library.
retrokit definitely looks interesting, can you elaborate on the additional value provided in regards to a simple webview? I just saw that your use case is using it for a full browser.
We use a strict CSP for the UI, which works pretty well.
A collaboration sounds interesting, but as we are still bootstrapping, it will take some time until we'd have the resources to do that.
> can you elaborate on the additional value provided in regards to a simple webview?
The proposed value of retrokit (when it's more progressed) is a much smaller library/file size and the reduction of a potential attack surface in regards to fingerprinting, privacy and security.
Legacy encryption APIs that are outdated, Plugin APIs that are from the Netscape-era, "navigator.plugins" and old stuff that's not actually providing any value anymore is being removed as well - due to the history of e.g. PDF files or Java applets being such an oftentimes exploited plugin.
The idea is to have a webview that's focussing on the rendering part + websockets for local interprocess or webapp-to-webserver communication. At a later point in time my goal is to bundle it with nodejs, with the idea being that the "local backend" in nodejs allows all the flexibility you need to port networking and OS interactions; and the webapp representing the UI process that's separated (from a security perspective).
This would be a great base for a secure browser, which is something we are interested in long-term.
Maybe we can have a chat about a possible future partnership?
We won't be able to support such an initiative at the moment, but we are definitely interesting in investing in that area at some point in the future.
Please also publish a version that does not auto update. The aur package for google-chrome-stable does not allow in app updates, for I g the system to choose. This choice should not be taken away.
Here's my take on Electron and anything else resource-intensive: if your UI is either short-lived (like a configuration window) or the main thing you're using (like an IDE), I don't really care how much RAM or anything else it uses.
A firewall configuration windows falls in the first category - you only open it very occasionally and for not very long, so it doesn't really matter how heavy it is. Where Electron (or similar) is really bad are things like Discord, Slack, Spotify, Teams, etc. where you'll likely be running many of them all the time, while you're doing other things that need those resources.
For several years now, I've been an advocate for either "uninstalling" the default route on (most) hosts and/or switching to a default deny policy for outbound traffic, just like we all did for inbound traffic a long time ago.
I'll readily admit that the amount of work required in order to do this is HUGE and, of course, it isn't gonna happen overnight. Every time we have another one of these massive vulnerabilities that affects damn near everything and everybody, though, I think we get just a little bit closer.
Once some large company makes the decision to do it, then actually does it, then (at some point down the road) shares publicly how it totally saved their ass when $thing happened, maybe some CISOs will start to take notice and (eventually) follow suit.
As with IPv6, I remain hopeful that we'll get there at some point in my lifetime! Unfortunately, though, I'm sure it'll take a lot more "bad shit" happening first.
I'm assuming you're using a stateful packet filter when you're talking about this? Otherwise you'll break all kinds of stuff.
CISO's care about security but you'll find that most developers/users do not at all and its like pulling teeth to get anything done. It'd likely be better to get all developers basic security training and automated code vulnerability scanning tools.
I've worked in an environment where all the developers did basic security training, and I've worked (well, interned) in an environment where prod had a default-deny firewall for outbound traffic.
The latter was definitely a hell of a lot more trouble. The latter was also definitely a hell of a lot more secure - and not because I had tons of faith in the code.
That's what I did at my last role, and it was made infinitely easier because I was the first engineer and it was greenfield development.
Our backend used a combination of network policies to only allow outbound TCP connections to a handful of forward proxies, each of which was one simple, easy to verify nginx server that forwarded to https://saas.service.example.com.
And on days when we learned of new supply chain vulnerabilities, we didn't have a security incident.
Ooooo nice, I've been using Little Snitch for MacOS lately--it's been shocking how many things phone home, especially development tools. I installed Redhat's YAML extension for VS Code, and it was immediately trying to send a message home.
That's true - it may lack some advanced feature. But it's quite capable for the large majority of users. The only thing I don't like is that with newer macOS versions Lulu has dropped its own kernel extension in favour of macOS' built-in Network Extension framework that may have backdoor "bugs" built-in to allow Apple to spy on us (e.g. https://macresearch.org/mac-feature-bypass-firewalls-removed... ). I don't recall, but I think Little Snitch still uses it own custom kernel extension as macOS NEF doesn't still support all the features that LS offers.
> I installed Redhat's YAML extension for VS Code, and it was immediately trying to send a message home.
this frustrates me so much! i have not touched vs code, which is otherwise a decent editor, for a while because of all these shenanigans with the extensions.
Can't recommend Little Snitch enough, been using it for 7-8 years now. Extremely useful to prevent any unencrypted connections on wifi you don't trust (which I also used to prevent unencrypted connections when I'm in countries with internet censorship) and for peace-of-mind that some random application won't try to exfil data.
Automatic switching between profiles based on connection type (wifi, different VPN servers, etc.) is cherry on the top.
Running LS is both amazing for what it does, and depressing for what you see.
As for the VSCode extension, do you have telemetry disabled in Code globally? The Red Hat extensions are supposed to respect that preference for any telemetry they send. If you're seeing otherwise, please file a bug if you can.
Yeah I did have it on before installing. I never inspected the actually message though, it could have been "just downloading schemas".
I already spent like like 5 hours discetting every message in Wireshark coming out of my computer a few months ago lmao. I setup TLS logging so I could look at encrypted traffic with SSLKEYLOGFILE.
I understand you dislike this. With the current auto-updating system we have in place this was the easiest solution, as the installer just installs one core component which fetches all others in the newest release.
With how fast we iterate, creating a new installer and signing it (Win) every time is just a big distraction at this point.
We hope to provide a full offline installer in the future, but even that one will fetch certain resources during install, as the current geoIP database and intelligence data.
Damn, looks like a nice free competitor to Glasswire which I'm currently using (which also has an extremely usable free option).
Like Glasswire though I'm guessing this doesn't alert on common traffic like DNS lookups via the host, which would still allow malicious software to get traffic in and out unseen.
The Portmaster actually handles DNS itself and will show you DNS queries in the UI. (Currently, only showing DNS queries that were _not_ served from cache.)
Also, Portmaster actually has it's own kernel module in Windows and sees more than Glasswire.
Portmaster sends queries over DNS-over-TLS to protect them and has (very) basic protection against data tunnels.
Yes, this is rather unfortunate. There are also some more "portmaster" things around, which were partly mentioned in an older HN thread.
We thought about a rebrand, but it's just way to expensive right now, as we are still bootstrapping.
I also don't think that there is an immediate issue, as both application domains and presence on operating systems don't interfere.
If you think otherwise, please share your thoughts!
Haha, yes indeed. That is the easiest part. The tail is unbelievably long though. Nothing I have to tell you. ;)
Well, in our case I think the security world does not have many words to start with. When we looked for a name, everything was already taken by a direct or indirect competitor. We then settled on an allegory (which we threw away later), which then brought us to the "port master", bringing together the meaning of a network port and a port/harbour from our allegory. I don't remember exactly if we somehow missed the BSD name clash or found it acceptable - I do think it's rather stupid to have that clash today. Well, decisions.
Als, BSD's "port master" is yet another meaning of "port".
Yes, if we ever go down that route, things will get interesting. But I don't see that our short/mid-term future, as the need for something like this is too low on that platform.
This looks interesting, though it's not entirely clear how it works. The docs go relatively in depth into the code structure, but it doesn't do much else.
Looks like they implemented their own windows kernel driver [1] [2] for intercepting packets. And since I see BOTH domain names and applications that won't trust custom SSL CA in their website, I guess they get the domain name from the ssl handshake packets (sni) [3] which is in plaintext
We have SNI inspection in progress (currently on hold), but not yet live.
Currently, we just match the IP address to all resolved IPs of all domains and pick the most recent one. (The Portmaster handles DNS via DNS-over-TLS.)
With TLS1.3, the SNI will be encrypted, so this information will be "gone" for us anyway.
I prefer this to SimpleWall, but it's kind-of heavy (both the UI and the service) resource-wise - so I don't run it always, just after big Windows Updates to make sure they don't add new "phone home" "functionality". OSS is also a super nice plus.
We are trying to improve on this. Would be great if you could create a Github issue so we can have a look. You can also easily do this from within the UI.
Another day, another name collision; portmaster is also the name of a FreeBSD ports management utility that's been pretty widely-used for well over a decade now
This kind of feels like the people that were saying the package ‘node’ already existed, and therefore should not be replaced, since there were many people using it to do their aux audio input or something.
If it’s actually widely used then I’d have heard of it by now. My suspicion is that it’s widely used in a specific circle.
And, since about the mid-90s or so, "portmaster" was also the name of a series of hardware "appliances" (as we'd probably call them today) that were very widely used in the early days of the Internet [0].
CTO of Safing here.
Yes, this is rather unfortunate. There are also some more "portmaster" things around, which were partly mentioned in an older HN thread.
We thought about a rebrand, but it's just way to expensive right now, as we are still bootstrapping.
I also don't think that there is an immediate issue, as both application domains and presence on operating systems don't interfere. If you think otherwise, please share your thoughts!
> Country does not match with the country prefix for your phone number
Fishy.
And if you check country prefix with the list of country prefixes anyway... Why do you even bother with country AND prefix?
> The Portmaster actually handles DNS itself and will show you DNS queries in the UI
Yikes.
What about the DNS resolvers configured in the system? Do you hijack/overwrite them? [0]
I use my own Unbound locally, how Portmaster would handle queries for NSs in the Unbound config which are unknown to the world - leak them?
How about QNAME minimization?
Where exactly Portmaster would send the DNS queries?
Actual kernel module on Windows so it really can do anything it wants and wouldn't be catched by the machine itself?
Yikes.
Overall, this is the product which could be useful for many users, but for me it's a hard no.
The "SPN" idea is interesting, but also raises the questions about who, where and how would control exit nodes.
> And if you check country prefix with the list of country prefixes anyway... Why do you even bother with country AND prefix?
For users subscribing to the SPN, we are required by law to pay taxes. In order to attribute an Internet user to a country you have to collect 2 of these 3 data points, and naturally they have to overlap.
- an IP address
- a country the user selects
- a phone prefix the user selects
Many tech companies collect all three, with the addition of collecting the full phone number instead of only the prefix.
We chose the approach we felt respected user privacy the most. We know the resulting UX with the phone prefix is uncommon, but thought it superior to storing your IP (which most companies do while hiding that fact away in the Terms of Service)
---
For the DNS implementation, we do have in depth docs talking about DNS integration. As a summary, local queries or not leaked. [0]
We are not too content with Cloudflare as the default. We opted for them since they were the fastest at a time when Portmaster itself had speed issues. A re-evaluate is probably due since a lot happened in the meantime. Thanks for this input, I took a note. Also, here is the context of that time if you are interested. [1]
---
And lastly, yes Portmaster deeply integrates into the OS via a kernel extension. Specifically, via the Windows Filtering Platform APIs [2] This means network packets can be intercepted. Just as browsers, who enforce DoH, manipulate network traffic, or VPN software.
I have difficulties seeing your concerns here. We document everything we do and that can be verified by inspecting the source code.
> We know the resulting UX with the phone prefix is uncommon
Sure it is. I've encountered this type of selection, but extremely rare.
Maybe add an (i) explaining why do you ask for the prefix? Could be a free bonus point for you for respecting the users privacy. Current link (i) just throws you to Wikipedia without explaining anything. This is pretty confusing.
> local queries or not leaked
For the well known zones (listed on that page) sure. I'm talking about any other named zone. Eg I would have a split-brain DNS with only a handful of A records on the public side, while a lot more on the internal side (accessible through VPN, for example). If I understand from your blog [0] you would intercept and reroute this query to the DNS servers configured in the Portmaster. Which not only would leak the internal names but explicitly break the resolving, because it would be performed from the public Internet.
Also reading further the only place where the /behaviour/ is somewhat explained is the end of DNS configuration article [1] It is not a good marker what I needed to deep-dive in the multiple docs and blog articles to find out how exactly you iteract with DNS.
And also knowing what you outright disabled 'dnscache' on Windows machines before... Means you have a pretty perverse understanding on how things can and should be done. And for me it would be another hard 'no' for using your product - you are thinking you know better than me or even guys from Redmond.
> I have difficulties seeing your concerns here
> Just as browsers
Excuse me? My browsers doesn't install WFP filters to 'manipulate traffic'. FF can query DoH, but does it by running a user-mode code in the browser process.
Okay, now I have a way formulate my concerns:
Not only you do the things you shouldn't do (eg dnscache disablement); you are omitting how exactly your 'Secure DNS' works in your documentation (no, blogs are not documentation); you purposely skew your wordings on things you shouldn't (WFP filters for browsers?!).
> Maybe add an (i) explaining why do you ask for the prefix?
True, could be a bonus. Took a note.
> And for me it would be another hard 'no' for using your product
Reading about your setup I do agree with you. One shoe must not fit all, totally fine with us. My goal was not to convince you, but to provide explainers and pointers to your input.
> Okay, now I have a way formulate my concerns:
> Not only you do the things you shouldn't do (eg dnscache disablement); you are omitting how exactly your 'Secure DNS' works in your documentation (no, blogs are not documentation); you purposely skew your wordings on things you shouldn't (WFP filters for browsers?!).
Now generally speaking, I acknowledge I responded with technical inaccuracies. The sentence with VPNs and browsers should have been left out.
I normally tend to BS check technical stuff with Daniel, but did not want to ping him in his vacation because of a HN response. However, I should have disclaimed I am not a Portmaster dev or networking expert. I come from a web development background.
> you are thinking you know better than me or even guys from Redmond.
I am certain I know less than you in this field. Thankfully Safing does not rely on my skills in that area.
I do however strongly push the docs, through which I want to bridge the gap between the high level claims on our website and the source code. If you are willing to contribute, I am happy to receive a write up of yours about the things you feel are missing. It can be technical and beyond my expertise, since I would discuss it with Daniel anyway and see how to best proceed.
> My goal was not to convince you, but to provide explainers and pointers to your input.
The thing is, I should be convinced by your documentation alone. My shoe is unique (as in 0.001% at best), but the questions are valid not only for my setup only. The typical situation would be some VPN provider installing a global route through the VPN service and configuring resolvers to internal company DNS servers (to be able to resolve internal names, duh). This is not /that/ unique situation in WFH world.
> but did not want to ping him in his vacation because of a HN response
Yep, you shouldn't!
> I come from a web development background.
Ah, that explains some things.
> Thankfully Safing does not rely on my skills in that area
Ahah, being humble and self-conscious. Gladly I already drank my coffee.
> If you are willing to contribute
Thanks, no, I have too many posts unread, too many comments not replied.
But overall:
You should have a clear and straight explanation on how P. uses DNS in [0] (right at the start, before anything else) and in [1].
Preferably in typical scenarios, eg:
1. I want to use only secure DNS of P.? A: Configure your OS' DNS resolvers to point to 127.0.0.1/::1; configure P. to use secure DNS providers (or leave the defaults enabled)
2. I want to use my own resolvers, how P. would work with them? A: P. would intercept non-secure DNS requests (plain udp/53) and perform the request itself and return the result back to the querier.
3. I use P. secure DNS, but my work resources (which I access with VPN) isn't working! A: Make following configuration changes in P. config to route queries for you work: ...bla.bla.bla.
For anyone else (who doesn't need typical scenarios, like me?) I need to understand how exactly you provide a secure DNS without changing my configuration. Because now it is looks like this is exactly what happens - no changes, system configured with external plain UDP/53 resolvers... and P. magikally makes them secure.
I was pleasantly surprised that this is a Windows first application! I was scrolling through the page thinking "yet another lovely UI for a good problem to solve but surely this will be OSX" and then bam, Windows and Linux now, Mac coming later.
Ever since moving away from Mac about 8 years ago I've missed Little Snitch. I'll give this a try I think.
Pity about the name, those of us who were around when the internet took off out of it's original walled garden will likely remember a "portmaster" as one of the first affordable SLIP routers for those trying to create what were later called "ISPs"
Asking here as it is tangentially related, but is anyone aware of a way to route traffic on a specific port through a VPN while leaving other ports open? I have spent days looking for a solution to this and haven’t found any concrete answers. Hardware, software, anything.
Yes, that is possible but generally not natively in most applications and end-user operating systems.
Without native support, traffic control like that requires something like pf or iptables to managed the traffic you want to treat differently. This means something like an outbound firewall that does a different NAT or different route or different redirect (generally packet rewriting). If you want to scope it to more than just a port or IP (or a range of them) and be specific to an application, you'd be needing some type of socket filter which works at the socket level in the OS. Applications generally use sockets to interface with the network, and those sockets are provided by the OS and thus it can control the aspects of those.
Without those, you can also have a dedicated interface for the 'special' traffic.
Some applications allow you to specify an outgoing interface, for those you can have them use a specific interface and have a firewall rule that redirects that port. Others don't, and you'd have to encapsulate them in a namespace (i.e. a docker container) or VM which then 'creates' that dedicated interface your application would have to use. Then you can pipe that interface through your packet filter of choice and achieve the same thing.
Alternatively you can pipe all of the traffic of such a 'packaged' setup through your VPN. Since you'll only be running your application inside that configuration only it would be affected.
Today, when I find myself in a scenario where I need some of this, I either have created a situation that is problematic to begin with (i.e. trying something silly that shouldn't be done in the first place) or I'm trying to simulate something like a L2 protocol over an L3 VPN for remote debugging. I've found that everything in the first category generally is a waste of time to work with anyway.
Yes, you can install OpenWRT or OpnSense on a Raspberry Pi. If you don't want to replace your current OS on the Pi, you'll have to manually work with iptables (if you use linux) or pf (if you use BSD).
The lines between the boxes would represent network connections, i.e. ethernet connections. WiFi would work the same way.
(slight repetition:) the reason you'd use a firewall external to your PC is that it makes it impossible for any application to 'bypass' it since it doesn't actually know it is there. There are of course no guarantees as no software is perfect and firewalls are software too. But it's a whole lot closer to actually doing what you want it to than some random desktop application.
Technically you could also add a second interface on your computer and give it the option to completely bypass the firewall but that only helps if you can restrict your application of choice to only go out the firewalled interface.
In the new example, the Firewall has two network interfaces, but technically it can be done with only 1 interface if you have a network switch with VLAN support. For a Raspberry Pi you'd need a USB-Ethernet adapter for that second interface.
I did something similar with docker. I ran both OpenVPN client and SSH client inside a docker, so only the SSH client would be affected by the OpenVPN controlling the container network. And by telling the SSH client to port forward, and by exposing the same port forward from the docker to the local computer, I could use it to travel through the VPN while all other ports on the local computer were unaffected.
According to your README you require NET_ADMIN permissions and you are mapping the host /dev/net/tun into the container. Doesn’t this mean you are affecting the host network as well? Sorry not super familiar with Docker’s security model
Seeing it I remember a firewall management gui that was one of the first easy and simple “firestarter”, sadly it was discontinued time ago, before Ubuntu release their “ufw”, which was very similar.
Seems promising this tool.
Thank you so much for both being open about your monetization strategy (which seems reasonable to me) and having a well written, easily found privacy policy!
It's too bad that Black Ice firewall doesn't work on modern windows OS. It was lightyears ahead of Portmaster's design and functionality even back in the late 90s (at least until IBM bought and ruined it). It seems like it's impossible for software to be self contained these days.
right, I used to have a firewall that could whitelist apps in the 90s on Windows (can't remember the name)... iptables can't even do that as far as I know... but there is https://github.com/evilsocket/opensnitch that I still need to try (I no longer use Windows).
We have not investigated too much into this topic - but from what we know it would probably be easier to implement a bandwidth cap than monitoring the bandwidth.
And from a priority perspective it is likely to take a while until we get to these topics, our focus lays elsewhere at the moment.
It is a common "failure mode" of Electron apps, I can't use VSCode on my secondary monitor (FullHD) because everything works fine except it. I think it ignores subpixel rendering from the system.
You can try to catch the screenshots at some extra large resolution and properly downscale them with maybe a little sharpening.
Looks great. One issue to note is that it's not supported in MacOS. I wonder if this is due to the MacOS API sandboxing changes that occurred recently?
Correct. We were already investigating how to do it when Apple announced that they will ditch their kernel extensions. We then put it on hold to wait for the changes. Been on hold since, because of resource focus to get it out already. ;)
Anything beyond the scope of the next few weeks or max 1-2 months is hard to predict. Things change fast and suddenly priorities have to shift because of XYZ.
That is why we only communicate what we are working on at the moment. Thanks for checking in on the roadmap, it will be the place we will say when we start macOS.
For now I can tell you macOS is unlikely to be worked on in Q1 2022, as our resources are focused elsewhere. Beyond that, we honestly do not know.
fyi, in case you are not already, you can subscribe to the rss feed or the newsletter - which is a short version of the progress updates - to reduce friction of staying in the loop.
Unfortunately that would not make sense, as the Portmaster needs to access many OS interfaces in order to integrate correctly. Dockers job is pretty much to remove access to these.
However, the systemd service actually uses restrictions as far as possible.
This entire thing seems incredibly polished, I'm surprised I haven't heard of this before. For every question and potential limitation for my use cases there seems to be an explanation on their FAQ. I'm definitely going to take this for a spin! Too bad there's no AUR package ready to go yet because I don't really want the burden of updating manually, but all in good time I suppose.