[HN Gopher] Portmaster - Open-source network monitor and firewall ___________________________________________________________________ Portmaster - Open-source network monitor and firewall Author : bratao Score : 103 points Date : 2022-01-01 19:53 UTC (3 hours ago) (HTM) web link (safing.io) (TXT) w3m dump (safing.io) | symlinkk wrote: | Asking here as it is tangentially related, but is anyone aware of | a way to route traffic on a specific port through a VPN while | leaving other ports open? I have spent days looking for a | solution to this and haven't found any concrete answers. | Hardware, software, anything. | klysm wrote: | Are you trying to forward traffic received on that port over a | VPN? | symlinkk wrote: | I believe so. I want traffic from one application to go over | a VPN and other traffic to go over the public internet. | yonixw wrote: | I did something similar with docker. I ran both OpenVPN client | and SSH client inside a docker, so only the SSH client would be | affected by the OpenVPN controlling the container network. And | by telling the SSH client to port forward, and by exposing the | same port forward from the docker to the local computer, I | could use it to travel through the VPN while all other ports on | the local computer were unaffected. | | Here is my code for reference: https://github.com/yonixw/ssh- | vpn-docker | symlinkk wrote: | According to your README you require NET_ADMIN permissions | and you are mapping the host /dev/net/tun into the container. | Doesn't this mean you are affecting the host network as well? | Sorry not super familiar with Docker's security model | yonixw wrote: | It doesn't.. tested on Windows (WSL) and MacOS. | oneplane wrote: | Yes, that is possible but generally not natively in most | applications and end-user operating systems. | | Without native support, traffic control like that requires | something like pf or iptables to managed the traffic you want | to treat differently. This means something like an outbound | firewall that does a different NAT or different route or | different redirect (generally packet rewriting). If you want to | scope it to more than just a port or IP (or a range of them) | and be specific to an application, you'd be needing some type | of socket filter which works at the socket level in the OS. | Applications generally use sockets to interface with the | network, and those sockets are provided by the OS and thus it | can control the aspects of those. | | Without those, you can also have a dedicated interface for the | 'special' traffic. Some applications allow you to specify an | outgoing interface, for those you can have them use a specific | interface and have a firewall rule that redirects that port. | Others don't, and you'd have to encapsulate them in a namespace | (i.e. a docker container) or VM which then 'creates' that | dedicated interface your application would have to use. Then | you can pipe that interface through your packet filter of | choice and achieve the same thing. | | Alternatively you can pipe all of the traffic of such a | 'packaged' setup through your VPN. Since you'll only be running | your application inside that configuration only it would be | affected. | | Today, when I find myself in a scenario where I need some of | this, I either have created a situation that is problematic to | begin with (i.e. trying something silly that shouldn't be done | in the first place) or I'm trying to simulate something like a | L2 protocol over an L3 VPN for remote debugging. I've found | that everything in the first category generally is a waste of | time to work with anyway. | symlinkk wrote: | For your first suggestion, the outbound firewall, is there an | easy way of doing this on a Raspberry Pi? | marcodiego wrote: | AGPL, multi-platform, beautiful UI, non-trivial network monitor | and firewall... haven't used it but congrats! | freddyym wrote: | They're also very transparent [0] which is awesome. I know the | developers, who are great as well. | | [0] https://safing.io/ownership/ | gigel82 wrote: | I prefer this to SimpleWall, but it's kind-of heavy (both the UI | and the service) resource-wise - so I don't run it always, just | after big Windows Updates to make sure they don't add new "phone | home" "functionality". OSS is also a super nice plus. | johnchristopher wrote: | OT: text on the screenshots is blurry and it's a pain to read :/. | superkuh wrote: | It's too bad that Black Ice firewall doesn't work on modern | windows OS. It was lightyears ahead of Portmaster's design and | functionality even back in the late 90s (at least until IBM | bought and ruined it). It seems like it's impossible for software | to be self contained these days. | mkdirp wrote: | This looks interesting, though it's not entirely clear how it | works. The docs go relatively in depth into the code structure, | but it doesn't do much else. | yonixw wrote: | Looks like they implemented their own windows kernel driver [1] | [2] for intercepting packets. And since I see BOTH domain names | and applications that won't trust custom SSL CA in their | website, I guess they get the domain name from the ssl | handshake packets (sni) [3] which is in plaintext | | [1] | https://github.com/safing/portmaster/blob/22507e879be95c7b0f... | | [2] https://github.com/safing/portmaster-windows-kext | | [3] https://en.wikipedia.org/wiki/Server_Name_Indication | cmeacham98 wrote: | They could also just do a reverse DNS lookup on the IP (and | then forward lookup to confirm it). | | This would be less effective for sites run through CDNs (ex | Cloudflare) though. | Lammy wrote: | bediger4000 wrote: | throwoutway wrote: | > I wish titles would indicate "for Windows" or something like | that. Useless article for non-windows-users. | | It also works with Ubuntu and Fedora, so not sure where you got | the windows-only impression | Taniwha wrote: | Pity about the name, those of us who were around when the | internet took off out of it's original walled garden will likely | remember a "portmaster" as one of the first affordable SLIP | routers for those trying to create what were later called "ISPs" | throwoutway wrote: | Looks great. One issue to note is that it's not supported in | MacOS. I wonder if this is due to the MacOS API sandboxing | changes that occurred recently? | cmeacham98 wrote: | I suspect they just haven't gotten to it yet - the FAQ says Mac | and mobile support is planned. | NmAmDa wrote: | Little snitch do it on MacOS but probably it takes a lot of | effort. | boomer918 wrote: | Curious if this can help with hardware backdoors. This probably | uses OS APIs which a sophisticated spyware would maybe work | around? | jeroenhd wrote: | A firewall with a configuration interface running on Electron, | just like the horrid free AV solutions for Windows back in the | day :) Can't be too critical of that because the developers have | already expressed their dislike of Electron on the website, and | it makes sense that they won't drop everything for a huge UI | rewrite. | | This entire thing seems incredibly polished, I'm surprised I | haven't heard of this before. For every question and potential | limitation for my use cases there seems to be an explanation on | their FAQ. I'm definitely going to take this for a spin! Too bad | there's no AUR package ready to go yet because I don't really | want the burden of updating manually, but all in good time I | suppose. | Rebelgecko wrote: | A surprisingly large amount of AV software is actually built on | Sciter | davidovitch wrote: | No AUR package yet it seems, but a PKGBUILD is already provided | so I would assume it is not too much of hassle to take it for | spin: https://docs.safing.io/portmaster/install/linux#arch- | linux | munro wrote: | Ooooo nice, I've been using Little Snitch for MacOS lately--it's | been shocking how many things phone home, especially development | tools. I installed Redhat's YAML extension for VS Code, and it | was immediately trying to send a message home. | 41b696ef1113 wrote: | On this topic, is there a way to disable network access per VS | Code extension? The vast majority have no business accessing | the internet. | pmontra wrote: | iftop is a Linux command line tool to list network connections. | | https://www.tecmint.com/iftop-linux-network-bandwidth-monito... | | Of course it has no firewall. | nmstoker wrote: | Also there's OpenSnitch for Linux, available here: | | https://github.com/evilsocket/opensnitch | | I don't use it all the time but it is occasionally useful (or | just satisfies my curiosity about what's phoning home) | GSGBen wrote: | Damn, looks like a nice free competitor to Glasswire which I'm | currently using (which also has an extremely usable free option). | | Like Glasswire though I'm guessing this doesn't alert on common | traffic like DNS lookups via the host, which would still allow | malicious software to get traffic in and out unseen. ___________________________________________________________________ (page generated 2022-01-01 23:00 UTC)