[HN Gopher] Portmaster - Open-source network monitor and firewall
___________________________________________________________________
Portmaster - Open-source network monitor and firewall
Author : bratao
Score : 103 points
Date : 2022-01-01 19:53 UTC (3 hours ago)
(HTM) web link (safing.io)
(TXT) w3m dump (safing.io)
| symlinkk wrote:
| Asking here as it is tangentially related, but is anyone aware of
| a way to route traffic on a specific port through a VPN while
| leaving other ports open? I have spent days looking for a
| solution to this and haven't found any concrete answers.
| Hardware, software, anything.
| klysm wrote:
| Are you trying to forward traffic received on that port over a
| VPN?
| symlinkk wrote:
| I believe so. I want traffic from one application to go over
| a VPN and other traffic to go over the public internet.
| yonixw wrote:
| I did something similar with docker. I ran both OpenVPN client
| and SSH client inside a docker, so only the SSH client would be
| affected by the OpenVPN controlling the container network. And
| by telling the SSH client to port forward, and by exposing the
| same port forward from the docker to the local computer, I
| could use it to travel through the VPN while all other ports on
| the local computer were unaffected.
|
| Here is my code for reference: https://github.com/yonixw/ssh-
| vpn-docker
| symlinkk wrote:
| According to your README you require NET_ADMIN permissions
| and you are mapping the host /dev/net/tun into the container.
| Doesn't this mean you are affecting the host network as well?
| Sorry not super familiar with Docker's security model
| yonixw wrote:
| It doesn't.. tested on Windows (WSL) and MacOS.
| oneplane wrote:
| Yes, that is possible but generally not natively in most
| applications and end-user operating systems.
|
| Without native support, traffic control like that requires
| something like pf or iptables to managed the traffic you want
| to treat differently. This means something like an outbound
| firewall that does a different NAT or different route or
| different redirect (generally packet rewriting). If you want to
| scope it to more than just a port or IP (or a range of them)
| and be specific to an application, you'd be needing some type
| of socket filter which works at the socket level in the OS.
| Applications generally use sockets to interface with the
| network, and those sockets are provided by the OS and thus it
| can control the aspects of those.
|
| Without those, you can also have a dedicated interface for the
| 'special' traffic. Some applications allow you to specify an
| outgoing interface, for those you can have them use a specific
| interface and have a firewall rule that redirects that port.
| Others don't, and you'd have to encapsulate them in a namespace
| (i.e. a docker container) or VM which then 'creates' that
| dedicated interface your application would have to use. Then
| you can pipe that interface through your packet filter of
| choice and achieve the same thing.
|
| Alternatively you can pipe all of the traffic of such a
| 'packaged' setup through your VPN. Since you'll only be running
| your application inside that configuration only it would be
| affected.
|
| Today, when I find myself in a scenario where I need some of
| this, I either have created a situation that is problematic to
| begin with (i.e. trying something silly that shouldn't be done
| in the first place) or I'm trying to simulate something like a
| L2 protocol over an L3 VPN for remote debugging. I've found
| that everything in the first category generally is a waste of
| time to work with anyway.
| symlinkk wrote:
| For your first suggestion, the outbound firewall, is there an
| easy way of doing this on a Raspberry Pi?
| marcodiego wrote:
| AGPL, multi-platform, beautiful UI, non-trivial network monitor
| and firewall... haven't used it but congrats!
| freddyym wrote:
| They're also very transparent [0] which is awesome. I know the
| developers, who are great as well.
|
| [0] https://safing.io/ownership/
| gigel82 wrote:
| I prefer this to SimpleWall, but it's kind-of heavy (both the UI
| and the service) resource-wise - so I don't run it always, just
| after big Windows Updates to make sure they don't add new "phone
| home" "functionality". OSS is also a super nice plus.
| johnchristopher wrote:
| OT: text on the screenshots is blurry and it's a pain to read :/.
| superkuh wrote:
| It's too bad that Black Ice firewall doesn't work on modern
| windows OS. It was lightyears ahead of Portmaster's design and
| functionality even back in the late 90s (at least until IBM
| bought and ruined it). It seems like it's impossible for software
| to be self contained these days.
| mkdirp wrote:
| This looks interesting, though it's not entirely clear how it
| works. The docs go relatively in depth into the code structure,
| but it doesn't do much else.
| yonixw wrote:
| Looks like they implemented their own windows kernel driver [1]
| [2] for intercepting packets. And since I see BOTH domain names
| and applications that won't trust custom SSL CA in their
| website, I guess they get the domain name from the ssl
| handshake packets (sni) [3] which is in plaintext
|
| [1]
| https://github.com/safing/portmaster/blob/22507e879be95c7b0f...
|
| [2] https://github.com/safing/portmaster-windows-kext
|
| [3] https://en.wikipedia.org/wiki/Server_Name_Indication
| cmeacham98 wrote:
| They could also just do a reverse DNS lookup on the IP (and
| then forward lookup to confirm it).
|
| This would be less effective for sites run through CDNs (ex
| Cloudflare) though.
| Lammy wrote:
| bediger4000 wrote:
| throwoutway wrote:
| > I wish titles would indicate "for Windows" or something like
| that. Useless article for non-windows-users.
|
| It also works with Ubuntu and Fedora, so not sure where you got
| the windows-only impression
| Taniwha wrote:
| Pity about the name, those of us who were around when the
| internet took off out of it's original walled garden will likely
| remember a "portmaster" as one of the first affordable SLIP
| routers for those trying to create what were later called "ISPs"
| throwoutway wrote:
| Looks great. One issue to note is that it's not supported in
| MacOS. I wonder if this is due to the MacOS API sandboxing
| changes that occurred recently?
| cmeacham98 wrote:
| I suspect they just haven't gotten to it yet - the FAQ says Mac
| and mobile support is planned.
| NmAmDa wrote:
| Little snitch do it on MacOS but probably it takes a lot of
| effort.
| boomer918 wrote:
| Curious if this can help with hardware backdoors. This probably
| uses OS APIs which a sophisticated spyware would maybe work
| around?
| jeroenhd wrote:
| A firewall with a configuration interface running on Electron,
| just like the horrid free AV solutions for Windows back in the
| day :) Can't be too critical of that because the developers have
| already expressed their dislike of Electron on the website, and
| it makes sense that they won't drop everything for a huge UI
| rewrite.
|
| This entire thing seems incredibly polished, I'm surprised I
| haven't heard of this before. For every question and potential
| limitation for my use cases there seems to be an explanation on
| their FAQ. I'm definitely going to take this for a spin! Too bad
| there's no AUR package ready to go yet because I don't really
| want the burden of updating manually, but all in good time I
| suppose.
| Rebelgecko wrote:
| A surprisingly large amount of AV software is actually built on
| Sciter
| davidovitch wrote:
| No AUR package yet it seems, but a PKGBUILD is already provided
| so I would assume it is not too much of hassle to take it for
| spin: https://docs.safing.io/portmaster/install/linux#arch-
| linux
| munro wrote:
| Ooooo nice, I've been using Little Snitch for MacOS lately--it's
| been shocking how many things phone home, especially development
| tools. I installed Redhat's YAML extension for VS Code, and it
| was immediately trying to send a message home.
| 41b696ef1113 wrote:
| On this topic, is there a way to disable network access per VS
| Code extension? The vast majority have no business accessing
| the internet.
| pmontra wrote:
| iftop is a Linux command line tool to list network connections.
|
| https://www.tecmint.com/iftop-linux-network-bandwidth-monito...
|
| Of course it has no firewall.
| nmstoker wrote:
| Also there's OpenSnitch for Linux, available here:
|
| https://github.com/evilsocket/opensnitch
|
| I don't use it all the time but it is occasionally useful (or
| just satisfies my curiosity about what's phoning home)
| GSGBen wrote:
| Damn, looks like a nice free competitor to Glasswire which I'm
| currently using (which also has an extremely usable free option).
|
| Like Glasswire though I'm guessing this doesn't alert on common
| traffic like DNS lookups via the host, which would still allow
| malicious software to get traffic in and out unseen.
___________________________________________________________________
(page generated 2022-01-01 23:00 UTC)