[HN Gopher] Portmaster 1.0 - Open-Source Network Monitor and Pri...
___________________________________________________________________
Portmaster 1.0 - Open-Source Network Monitor and Privacy Firewall
Author : dhaavi
Score : 214 points
Date : 2022-11-05 13:56 UTC (9 hours ago)
(HTM) web link (safing.io)
(TXT) w3m dump (safing.io)
| devnine wrote:
| need a Mac version
| dhaavi wrote:
| CTO and Co-Founder of Safing here. We're super excited to
| introduce version 1.0 of our network monitor and privacy firewall
| - Portmaster! On 1.1. this year, Portmaster was shared on HN and
| we hit front page [1]. With the help of our testers - many of
| you! - we were able to mature and develop Portmaster to hit this
| milestone.
|
| We're on a mission to bring privacy back to the masses. Privacy
| has to be easy & accessible for everyone, while hackers and
| tinkerers should have the tools to customize everything to their
| needs. So while Portmaster 1.0 is a big milestone, this is just
| the start!
|
| [1]: https://news.ycombinator.com/item?id=29761978 [2]:
| https://star-history.com/#safing/portmaster&Date
| csdvrx wrote:
| Congrats!
|
| Just one question: In the past, postmaster had problems with
| WSL2.
|
| I documented the issue and the solution:
| https://www.reddit.com/r/safing/comments/ryioj7/portmaster_b...
|
| Is it fixed now?
| dhaavi wrote:
| We still don't have first-class support for VMs, but it will
| come.
| csdvrx wrote:
| Did you read the link?
|
| Just add a PowerShell script at install time to exempt the
| virtual network interfaces from Windows Firewall if WSL is
| detected and the user agrees! It's super simple and easy.
| OrvalWintermute wrote:
| Looks intriguing. A few questions:
|
| (1) Are you planning on having support for more than 5 devices
| at a future point?
|
| (2) Will you have any features to support parents protection of
| their children?
|
| (3) How easy is it to integrate Safing into a home security
| stack, or an enterprise security stack?
|
| (4) Have you considered a one-time unlimited buy-in level in
| lieu of monthly?
|
| (5) Is this coming for iOS & MacOS?
|
| Thanks for pushing the privacy front.
| dhaavi wrote:
| Thanks for your interest.
|
| (1) Are you planning on having support for more than 5
| devices at a future point?
|
| 5 devices is what we estimate 1 user has (avg max). If there
| is demand, we will definitely add a plan to support more
| devices (or users).
|
| (2) Will you have any features to support parents protection
| of their children?
|
| We already collect NSFW filter lists to be activated in the
| settings. Otherwise such features are tricky, as we need to
| start protecting against the person in front of the device,
| which is very hard. If you have suggestions, please share!
|
| (3) How easy is it to integrate Safing into a home security
| stack, or an enterprise security stack?
|
| Can you elaborate on what exactly you have in mind? We don't
| offer any integrations with other system out of the box yet.
| We have APIs though that you can use.
|
| (4) Have you considered a one-time unlimited buy-in level in
| lieu of monthly?
|
| We had a couple lifetime plans on our Kickstarter (years
| ago). Right now, we don't have any plans for this. You can
| pay in advance though - up to 4 years.
|
| (5) Is this coming for iOS & MacOS?
|
| Yes. Or, at least we will attempt. Going to be "fun" if Apple
| continues their locking down strategy. Maybe the EU will
| force them to open up until then. Expect at least 1-2 years
| for this to land though.
| mdip wrote:
| Rather insightful on (2) with regard to:
| > ... we need to start protecting against the person in
| front of the device
|
| My first thought was, "Oh, God, please don't". I'm a
| parent, if I put that software on the computer it comes
| with rules not to touch it; if it's touched, they know I'll
| probably find out, ban them from it for a bit and return it
| to them locked down in a manner that when I return it to
| its original state, they won't touch it again. :o).
|
| But then I thought of the other common reason this kind of
| capability is added to software -- are you preparing for
| the eventual future where you will _have_ to do this, not
| to protect from a child removing the software, but to
| protect from another app surreptitiously removing
| Portmaster in order to bypass its protections?
| dhaavi wrote:
| Yes. Good points.
|
| Well, the first thing we might do is just a "Only an
| Administrator can make changes." setting where you only
| admin accounts are allowed to change settings. This one
| makes sense. Everything beyond that gets complicated and
| easy to circumvent fast.
|
| (I also think the original question was more about
| blocking features and the likes.)
|
| Protecting against other software is related, but also
| different. We have some decent protection here, albeit
| not against simply shutting Portmaster down.
| slurpmaker wrote:
| Looks like a nice project! What library are you using for a
| front end here?
| runlevel1 wrote:
| Congrats on releasing 1.0! It looks very cool. A few questions
| about Portmaster Unlimited and SPN:
|
| 1. Does Safing own and operate all the exit nodes or can folks
| add their own nodes to it?
|
| 2. Are you self-hosting the exit nodes? If not, I'm curious
| what cloud providers you use.
|
| 3. Have you found egressing through a bunch of different
| geolocated IPs for the same request triggers DDoS/anti-scraping
| systems (like Cloudflare) more than usual?
| dhaavi wrote:
| Thanks!
|
| 1. Does Safing own and operate all the exit nodes or can
| folks add their own nodes to it?
|
| Everyone can join. We also plan to compensate in some way in
| the future. Docs: https://docs.safing.io/spn/hosting-a-
| community-node
|
| 2. Are you self-hosting the exit nodes? If not, I'm curious
| what cloud providers you use.
|
| We rent servers. If you have the SPN, you can click on every
| server on the map and check where it is hosted. Currently
| mainly Hetzner, OVH, Katamera, HostHatch. We regularly try
| new providers, rent a couple servers and see how it goes.
|
| 3. Have you found egressing through a bunch of different
| geolocated IPs for the same request triggers DDoS/anti-
| scraping systems (like Cloudflare) more than usual?
|
| The client "pins" destination domains/IPs to an exit for an
| hour (scoped per app) in order to get more stability here. We
| had issues in the past.
| toomanyusers wrote:
| I'd really like to see more technical discussion of Safing's SPN
| idea and implementation (https://safing.io/spn/). If I've
| understood it correctly, it seems to be in-line with the general
| trajectory of where Cloudflare is going with DNS privacy and
| Apple is going with its relay service.
|
| It seems obvious that VPN services should be split into Relay and
| Exit services so that you don't have to necessarily trust a
| single company not to collect and sell all your internet traffic.
| dhaavi wrote:
| The SPN (Safing Privacy Network) aims to fill the area between
| VPNs and Tor. VPNs provide very little real privacy and Tor is
| (outside Tor Browser) very difficult to setup and configure.
|
| Yes, you are correct, there are similarities there. Except of
| course that SPN is open source.
|
| We do have a white paper:
| https://safing.io/files/whitepaper/Gate17.pdf
|
| And YES! I'd love to see more technical discussion of the SPN
| too. So many things to unpack, to learn and improve.
| g_p wrote:
| From a DNS privacy perspective, ODOH (Oblivious DNS over HTTPS)
| seems to achieve this at protocol level, with interoperability
| between providers. While there are tunnelled VPN (separate
| entry and exit), they always seem to be with the same provider.
| The iCloud private relay design appears to avoid this.
|
| It would be interesting to see where SPN goes, and more on how
| it works, as you say.
| wmf wrote:
| It doesn't even define the acronym!
| dhaavi wrote:
| Sorry about that. It's "Safing Privacy Network".
| stusmall wrote:
| I evaluated this a few months ago and absolutely loved it. It was
| more polished and easier to use than I expected. Since the
| website made a big deal about it being alpha I went in expecting
| a little pain.
|
| The only major problem I hit was that everytime a snap would
| update it would appear as a new application and I had to reapply
| the rules. At the time there was a proposal for a change to fix
| this but it hadn't been implemented yet. I think once that lands,
| if it hasn't already, I'll be a loyal daily user.
|
| EDIT: Adding GitHub issue link
| https://github.com/safing/portmaster/issues/398
| dhaavi wrote:
| We have recently added a system to support these use cases. I
| will see if we can add support for snap packages in the next
| weeks. Now tracking this internally at CC#2632.
| yewenjie wrote:
| Still can't use it on NixOS :(
| eckelhesten wrote:
| Is this a per device client? Is it possible to say, run it on
| Ubuntu as a server and have it handle the whole LAN?
| dhaavi wrote:
| This is client software. Everything is done locally.
|
| Except of course for the SPN, which has a growing network of
| servers to relay traffic.
| drdaeman wrote:
| Is this installed specifically on the endpoints or can it be
| installed on a network gateway (my edge router/gateway is a
| GNU/Linux machine) to provide analytics and security for the
| whole LAN?
|
| The website seems to be very light on any technical details,
| doesn't give me a slightest idea how it operates. Looking at the
| comments here I suspect it's a endpoint firewall using a VPN
| (SPN) to tunnel all the traffic through a virtualized network
| interface and apply rules and analytics to it.
| dhaavi wrote:
| It is installed on the endpoint.
|
| It integrates with nfqueue on Linux and a kernel extension on
| Windows. It does not use a virtual interface.
|
| The SPN (Safing Privacy Network; VPN alternative) is optional.
|
| More details on the docs: https://docs.safing.io/
| ajolly wrote:
| What's the performance impact on this, especially on windows?
|
| Also what would happen if I installed a Windows gateway, using
| routing and remote access services, and then installed portmaster
| on that?
|
| Overall this looks pretty awesome, and I'm excited to try it out.
|
| Oh and can I use this in conjunction with wire guard? How does it
| play with other vpns.
| dhaavi wrote:
| Q: What's the performance impact on this, especially on
| windows?
|
| Basically negligible. Secure DNS might be a bit slower and you
| might feel some impact on low end devices.
|
| Q: Also what would happen if I installed a Windows gateway,
| using routing and remote access services, and then installed
| portmaster on that?
|
| You'd probably be cut off as incoming connections are blocked
| by default. Please place a config with exceptions before
| install or have (virtual) physical access when installing.
|
| Q: Oh and can I use this in conjunction with wire guard? How
| does it play with other vpns.
|
| We have a whole page on that in the docs:
| https://docs.safing.io/portmaster/install/status/vpn-compati...
| Tarq0n wrote:
| I've been using this for about a month and it's been excellent.
| Actually dropped nextDNS for it, as my main need for nextDNS was
| one windows desktop.
| cynod wrote:
| Was just reading their site and wondering about that myself.
| But I use NextDNS on my router to cover all the devices on the
| house and this seems individual client based.
|
| Still, I can run it on my main machine.
|
| The networking looks a great blend of onion routing and secured
| connections. Really clever way of constantly changing a client
| IP. As someone else noted it's like a client/outgoing version
| of Cloudfare's DDoS mitigated network design.
| Abishek_Muthian wrote:
| Is this like OpenSnitch + PiHole combined?
| ignoramous wrote:
| Pretty much, yes.
| Abishek_Muthian wrote:
| I guess having it combined can have portability/mobility
| benefits but other than that I doubt if the performance
| benefits of OpenSnitch (or) ability to secure entire
| network through PiHole is worth replacing.
| ignoramous wrote:
| You won't be wrong about that, but I like to think of
| PortMaster as more of an open-source Glasswire
| replacement that can also run on Linux. It is an
| impressive piece of software nevertheless.
| byteshock wrote:
| I remember trying out Portmaster on Windows earlier this year. I
| think Portmaster was running a local DNS server to see what
| connections were being made. This interfered with my VPN,
| Mullvad, which was trying to use a remote DNS server.
|
| Does Portmaster still require a local DNS server? I've been an
| avid user of Glasswire for years and it works flawlessly with my
| VPN. But i would love to switch to a open source alternative.
| dhaavi wrote:
| Portmaster still (and probably always will) require a local DNS
| server. Why? Because there is not always and will be less ways
| in the future to find out which Domain an IP address belongs
| to.
|
| GlassWire will probably become quite blind as soon as TLS1.3 is
| rolled out and working as intended.
|
| I will look into Mullvad compatibility again in the coming
| weeks. I think they also improved some stuff on their side.
|
| User from 2 weeks ago: "Can confirm that Portmaster V.1.0.0
| with Mullvard V2022.4 DNS set to 127.0.0.1 and the same setting
| on the netwerk controller both can life together." from
| https://github.com/safing/portmaster/issues/313
| byteshock wrote:
| Awesome, thank you for the reply. Will try out Portmaster
| again!
| nohankyou wrote:
| I remember using Postmasters (PM2E) for router serial
| connectivity, good times.
| NateLawson wrote:
| Yeah, the ISP I founded in 1995 (elite.net) was a PM2ER for
| both dialup and routing with a Pentium 90 as the shell & web
| server. We quickly hit the 30 line limit and went up to the
| PRI-based Portmaster models. Fun and exciting times, just
| bringing a rural community online for the first time ever.
| jonhohle wrote:
| Ooh, an article about portmaster(8)! Oh, not portmaster(8)
|
| 0 -
| https://www.freebsd.org/cgi/man.cgi?query=portmaster&sektion...
| js2 wrote:
| Also not PortMaster.
|
| https://archive.org/details/h42_Livingston_Enterprises_PortM...
| [deleted]
| beezle wrote:
| Lol I was just thinking the same thing. Why do I think this is
| going to end badly?
| agilob wrote:
| Yghm... can I run it on kubernetes?
| dhaavi wrote:
| It's a software for clients / desktops.
| agilob wrote:
| Can't be run network wide on kubernetes or router? Then it's
| not a competitor to pihole?
| dhaavi wrote:
| Well, that depends on the use case. You might call it an
| indirect competitor.
| senden9 wrote:
| Right. Other use case. PiHole is setup for network
| normally. This solution is personal desktop firewall. So it
| has more access to information, but is also easier
| breakable (like break thru) for "bad" software on your PC.
| deluxeroyale wrote:
| Been looking for something like this for my windows computer.
| Little Snitch has been invaluable over the years but never found
| anything that covers it's features for windows
| alibert wrote:
| If you are looking for a simple and light firewall (but still
| better than Windows Firewall), I recommend using Simplewall. It
| does not require a kernel extension and works with the API
| provided by Windows to do network filtering.
|
| https://github.com/henrypp/simplewall
| dhaavi wrote:
| We have a blog post about this, if anyone is curious:
| https://safing.io/blog/2022/04/11/portmaster-vs-simplewall/
| DavideNL wrote:
| > _Please note that pretty much all the DNS leak detection tests
| by the VPN providers will be a false positive, as the only thing
| they check is if you are using their DNS servers. Rest assured
| that your DNS queries are well protected by the Portmaster and
| there is no need to be concerned._ " [1]
|
| That's a confusing statement... does this mean they change your
| DNS server/provider by default, if you are using a VPN?
|
| [1] https://docs.safing.io/portmaster/install/status/vpn-
| compati...
| byteshock wrote:
| I think it's because SPN uses a different IP/node per
| connection you make. DNS leak detection tests will ask your
| browser to resolve unique subdomains. If the DNS server that
| requests the lookup is different from your connecting IP to the
| website, they will say you have a DNS leak.
|
| https://security.stackexchange.com/questions/42752/how-does-...
| dhaavi wrote:
| That would be true if would be resolving all DNS yourself.
| Nowadays everyone uses a recursive resolver. See my other
| answer for details about this case.
| dhaavi wrote:
| Pretty much all VPNs use their own DNS servers. Their "DNS Leak
| Tests" just check if queries come from that DNS server.
|
| Portmaster overrides any custom DNS server and enforces the
| ones the user set - or are set by default. This "breaks" the
| VPN leak test.
|
| You'd need to use a leak test from the DNS provider for it to
| work.
|
| Thanks for the feedback. I will look into improving the text.
| DavideNL wrote:
| > " _overrides any custom DNS server and enforces the ones
| the user set - or are set by default_ "
|
| If Portmaster " _enforces DNS servers with the ones that are
| set_ ", after installing Portmaster and without the user
| changing anything, i'd say that's a decrease of privacy;
|
| Your VPN provider can see your traffic in any case (even when
| you're not using their DNS server.) So, if Portmaster would
| change this to whatever your default is (Cloudflare, Google,
| etc.), people are then suddenly sharing their DNS requests
| with yet another 3th party.
| dhaavi wrote:
| There is a welcome screen that informs you of Portmaster
| handling and securing DNS queries with the option to change
| the provider.
|
| But especially with a VPN the privacy is increased as it
| effectively becomes DNS-over-TLS/HTTPS-over-VPN. The VPN
| still sees your destination IP addresses, so the privacy
| improvement is not increased by a lot, but still.
| DavideNL wrote:
| > with the option to change the provider.
|
| Ah right, that sounds good. So the user is aware of it.
|
| > _But especially with a VPN the privacy is increased as
| it effectively becomes DNS-over-TLS /HTTPS-over-VPN._
|
| I disagree; VPN providers use an internal IP as DNS
| server and your connection to this DNS server goes
| through a secured VPN tunnel anyway.
|
| So, by sharing your DNS requests with an external 3th
| party you gain nothing, and it's even a decrease of your
| privacy since now Google/Cloudflare/etc collects all
| these requests.
| tfigment wrote:
| I've been using for about 6 months and I think its a good
| product. I suddenly needed a new firewall as Comodo Firewall
| doesn't work well with VPN I have to use (it cannot block
| anything). This stepped up like a champ in preventing unwanted
| networking behavior from Microsoft and others. The Notify Task
| has some times been weird but 1.0 seems to work well for me. The
| fact that i can point at my local DNScrypt instance is nice. I
| need to explore SPN more and see if it would work better than VPN
| for me or not.
| ike0790 wrote:
| This is awesome. Definitely gonna check it out...
| jeroenhd wrote:
| Definitely one of the best firewalls for normal people on Linux.
| (g)UFW is nice and easy but very basic. Portmaster is a lot
| closer to the firewalls you may find for Windows that list
| applications and their statistics/configuration.
|
| My only problem with it is that under heavy load the DoH server
| dies or gets stuck at 50% CPU for me. It also hangs my custom
| DoT/DoH solution for some reason but that's not a Portmaster
| problem.
| dhaavi wrote:
| Thanks! That's exactly what we are aiming for!
|
| About your DNS issues: Have you opened an issue on GitHub yet?
| jeroenhd wrote:
| I haven't had time to debug this issue yet, it mostly occurs
| when I'm busy with more important stuff so I usually just
| restart the service one or twice to get the process to
| behave.
|
| I'll try to remember to collect the logs next time it happens
| so I can open a useful issue.
| mcc1ane wrote:
| What's SPN?
| toomanyusers wrote:
| I found a blog post (https://safing.io/blog/2022/09/06/spn-vs-
| vpns/), but you have to go fairly far down the page (to the
| header "Cryptographic Identity Protection") to begin to get the
| gist of what it is.
|
| "This was originally invented for Tor and is called Onion
| Routing. This way, every server in the chain only knows the
| previous and the next hop. No server ever knows who you are AND
| where you are going to."
|
| "As VPNs are centralized, all their servers are operated by
| only one entity - the VPN provider itself. They can, therefore,
| monitor all you traffic and see what you are up to. This is why
| they tout their "No Logging" policies so loudly, because they
| know they can see everything."
|
| "SPN on the other hand invites the community to join the
| network and strengthen it by adding diversity to the operators
| of the network. This way - in addition to the cryptographic
| protections - it is made almost impossible that anyone will
| ever be able to track you through the SPN."
|
| It sounds like it is a next-gen VPN service which addresses the
| shortcomings of the current VPN services by splitting the
| service into relays and exits, each with limited knowledge and
| each potentially operated by different parties.
| dhaavi wrote:
| CTO of Safing here.
|
| Came back to answer the question and you beat me to it!
| Thanks!
|
| SPN (Safing Privacy Network) aims to fill the area between
| VPNs and Tor. VPNs provide very little real privacy and Tor
| is (outside Tor Browser) very difficult to setup and
| configure.
|
| With the combination with the Portmaster (which is also
| firewall), we provide superior privacy to any VPN and offer a
| 1-click install for a software that you cannot mis-configure.
|
| If you have any questions, please ask!
| stusmall wrote:
| Another product from them: https://safing.io/spn/
| xcambar wrote:
| This.
|
| I have followed multiple links, never able to find the
| expansion of the acronym. So weird.
| dhaavi wrote:
| Huh. Thanks, I will check that we explain that better.
| janka102 wrote:
| I also couldn't find it on their website, but their GitHub
| says it means Safing Privacy Network.
| https://github.com/safing/spn/
| Matl wrote:
| Is there a way to use this as 'just a firewall'? Not touching my
| DNS config or preventing VPNs from setting their own etc.?
| pyinstallwoes wrote:
| Yea I've done that.
| metadat wrote:
| Are there any plans for a Mac version?
|
| Pretty cool that both Windows and Linux both are supported and
| already exist. Keep up the good work!
|
| I also appreciate the easy to read and clear privacy policy about
| what telemetry and data this SaSS platform collects and how it is
| handled.
|
| https://safing.io/privacy/#article-1-where-we-collect-datapi...
| CharlesW wrote:
| For macOS I can strongly recommend Little Snitch. It's not open
| source, but I like that it's not subscription software and
| doesn't collect personal data.
| https://www.obdev.at/products/littlesnitch/index.html
| zikduruqe wrote:
| I've been running LuLu and it works great.
|
| https://objective-see.org/products/lulu.html
| CharlesW wrote:
| I love everything Objective-See makes too. Glad you
| mentioned them!
| krono wrote:
| FYI: It comes with opt-out Sentry crash reporting.
|
| Edit: Shipping such a component enabled by default might be
| unexpected for applications of this nature and easily
| overlooked, which is why I mention it.
| cvwright wrote:
| Why is "not subscription software" necessarily a good thing?
|
| Don't you want to be the customer rather than the product?
| metadat wrote:
| Little Snitch still costs money, it's just a different
| licensing model. It's not SaSS, so only a one-time fee to
| purchase for the tool.
|
| The reason I'm open to paying a monthly fee for a SaSS
| offering is to keep getting new features and timely
| security updates, and support ensuring the recurring
| expense aspects of the service can stay alive. It's not
| entirely clear to me yet why PortMaster needs to be a SaSS,
| but it's not implausible.
|
| I don't have any Windows or Linux desktop machines in
| regular use currently, looking forward to trying this out
| once the Mac version exists.
| CharlesW wrote:
| > _The reason I 'm open to paying a monthly fee for a
| SaSS offering..._
|
| To clarify, I'm absolutely _not_ subscription shaming,
| and I understand that startups are effectively forced to
| use a SaaS model in order to attract investors.
| CharlesW wrote:
| > _Why is "not subscription software" necessarily a good
| thing?_
|
| I personally consider that a "pro". You may not have
| experienced subscription fatigue yet, which is great.
|
| > _Don't you want to be the customer rather than the
| product?_
|
| You may have misunderstood -- Little Snitch is a _paid_
| product that collects no data.
| cvwright wrote:
| That makes sense. Thanks!
| simjnd wrote:
| They have considered it and say they will invest in it "once
| they have the resources" [1]. So I wouldn't expect it anytime
| soon at all.
|
| [1]: https://docs.safing.io/portmaster/install/status/mac
|
| EDIT: Added link to source
| maxcx wrote:
| Pretty interesting. Would love to see if users can choose their
| own servers as the underlying identity pool. PS: SPN: Safing
| Privacy Network, https://github.com/safing/spn
| dhaavi wrote:
| You can add your own servers to the network as community nodes.
| [0]
|
| For privacy, you never want to be the only person using a
| server.
|
| [0] https://docs.safing.io/spn/hosting-a-community-node
| spansoa wrote:
| I installed this about six months ago on Ubuntu 18 and it hanged
| when I launched. Has this been ironed out? I might try again. If
| I'm having issues, I'll submit an issue on Github. Was it tested
| on Ubuntu 18? BTW: I have to use Ubuntu 18 since version 20 is
| not compatible with my machine (some BS about NVIDIA drivers
| crashing the OS)
| dhaavi wrote:
| We have improved a lot since then. Please try again and open an
| issue on GitHub if something does not work - as you said.
|
| Linux install options:
| https://docs.safing.io/portmaster/install/linux
___________________________________________________________________
(page generated 2022-11-05 23:00 UTC)