[HN Gopher] Portmaster 1.0 - Open-Source Network Monitor and Pri... ___________________________________________________________________ Portmaster 1.0 - Open-Source Network Monitor and Privacy Firewall Author : dhaavi Score : 214 points Date : 2022-11-05 13:56 UTC (9 hours ago) (HTM) web link (safing.io) (TXT) w3m dump (safing.io) | devnine wrote: | need a Mac version | dhaavi wrote: | CTO and Co-Founder of Safing here. We're super excited to | introduce version 1.0 of our network monitor and privacy firewall | - Portmaster! On 1.1. this year, Portmaster was shared on HN and | we hit front page [1]. With the help of our testers - many of | you! - we were able to mature and develop Portmaster to hit this | milestone. | | We're on a mission to bring privacy back to the masses. Privacy | has to be easy & accessible for everyone, while hackers and | tinkerers should have the tools to customize everything to their | needs. So while Portmaster 1.0 is a big milestone, this is just | the start! | | [1]: https://news.ycombinator.com/item?id=29761978 [2]: | https://star-history.com/#safing/portmaster&Date | csdvrx wrote: | Congrats! | | Just one question: In the past, postmaster had problems with | WSL2. | | I documented the issue and the solution: | https://www.reddit.com/r/safing/comments/ryioj7/portmaster_b... | | Is it fixed now? | dhaavi wrote: | We still don't have first-class support for VMs, but it will | come. | csdvrx wrote: | Did you read the link? | | Just add a PowerShell script at install time to exempt the | virtual network interfaces from Windows Firewall if WSL is | detected and the user agrees! It's super simple and easy. | OrvalWintermute wrote: | Looks intriguing. A few questions: | | (1) Are you planning on having support for more than 5 devices | at a future point? | | (2) Will you have any features to support parents protection of | their children? | | (3) How easy is it to integrate Safing into a home security | stack, or an enterprise security stack? | | (4) Have you considered a one-time unlimited buy-in level in | lieu of monthly? | | (5) Is this coming for iOS & MacOS? | | Thanks for pushing the privacy front. | dhaavi wrote: | Thanks for your interest. | | (1) Are you planning on having support for more than 5 | devices at a future point? | | 5 devices is what we estimate 1 user has (avg max). If there | is demand, we will definitely add a plan to support more | devices (or users). | | (2) Will you have any features to support parents protection | of their children? | | We already collect NSFW filter lists to be activated in the | settings. Otherwise such features are tricky, as we need to | start protecting against the person in front of the device, | which is very hard. If you have suggestions, please share! | | (3) How easy is it to integrate Safing into a home security | stack, or an enterprise security stack? | | Can you elaborate on what exactly you have in mind? We don't | offer any integrations with other system out of the box yet. | We have APIs though that you can use. | | (4) Have you considered a one-time unlimited buy-in level in | lieu of monthly? | | We had a couple lifetime plans on our Kickstarter (years | ago). Right now, we don't have any plans for this. You can | pay in advance though - up to 4 years. | | (5) Is this coming for iOS & MacOS? | | Yes. Or, at least we will attempt. Going to be "fun" if Apple | continues their locking down strategy. Maybe the EU will | force them to open up until then. Expect at least 1-2 years | for this to land though. | mdip wrote: | Rather insightful on (2) with regard to: | > ... we need to start protecting against the person in | front of the device | | My first thought was, "Oh, God, please don't". I'm a | parent, if I put that software on the computer it comes | with rules not to touch it; if it's touched, they know I'll | probably find out, ban them from it for a bit and return it | to them locked down in a manner that when I return it to | its original state, they won't touch it again. :o). | | But then I thought of the other common reason this kind of | capability is added to software -- are you preparing for | the eventual future where you will _have_ to do this, not | to protect from a child removing the software, but to | protect from another app surreptitiously removing | Portmaster in order to bypass its protections? | dhaavi wrote: | Yes. Good points. | | Well, the first thing we might do is just a "Only an | Administrator can make changes." setting where you only | admin accounts are allowed to change settings. This one | makes sense. Everything beyond that gets complicated and | easy to circumvent fast. | | (I also think the original question was more about | blocking features and the likes.) | | Protecting against other software is related, but also | different. We have some decent protection here, albeit | not against simply shutting Portmaster down. | slurpmaker wrote: | Looks like a nice project! What library are you using for a | front end here? | runlevel1 wrote: | Congrats on releasing 1.0! It looks very cool. A few questions | about Portmaster Unlimited and SPN: | | 1. Does Safing own and operate all the exit nodes or can folks | add their own nodes to it? | | 2. Are you self-hosting the exit nodes? If not, I'm curious | what cloud providers you use. | | 3. Have you found egressing through a bunch of different | geolocated IPs for the same request triggers DDoS/anti-scraping | systems (like Cloudflare) more than usual? | dhaavi wrote: | Thanks! | | 1. Does Safing own and operate all the exit nodes or can | folks add their own nodes to it? | | Everyone can join. We also plan to compensate in some way in | the future. Docs: https://docs.safing.io/spn/hosting-a- | community-node | | 2. Are you self-hosting the exit nodes? If not, I'm curious | what cloud providers you use. | | We rent servers. If you have the SPN, you can click on every | server on the map and check where it is hosted. Currently | mainly Hetzner, OVH, Katamera, HostHatch. We regularly try | new providers, rent a couple servers and see how it goes. | | 3. Have you found egressing through a bunch of different | geolocated IPs for the same request triggers DDoS/anti- | scraping systems (like Cloudflare) more than usual? | | The client "pins" destination domains/IPs to an exit for an | hour (scoped per app) in order to get more stability here. We | had issues in the past. | toomanyusers wrote: | I'd really like to see more technical discussion of Safing's SPN | idea and implementation (https://safing.io/spn/). If I've | understood it correctly, it seems to be in-line with the general | trajectory of where Cloudflare is going with DNS privacy and | Apple is going with its relay service. | | It seems obvious that VPN services should be split into Relay and | Exit services so that you don't have to necessarily trust a | single company not to collect and sell all your internet traffic. | dhaavi wrote: | The SPN (Safing Privacy Network) aims to fill the area between | VPNs and Tor. VPNs provide very little real privacy and Tor is | (outside Tor Browser) very difficult to setup and configure. | | Yes, you are correct, there are similarities there. Except of | course that SPN is open source. | | We do have a white paper: | https://safing.io/files/whitepaper/Gate17.pdf | | And YES! I'd love to see more technical discussion of the SPN | too. So many things to unpack, to learn and improve. | g_p wrote: | From a DNS privacy perspective, ODOH (Oblivious DNS over HTTPS) | seems to achieve this at protocol level, with interoperability | between providers. While there are tunnelled VPN (separate | entry and exit), they always seem to be with the same provider. | The iCloud private relay design appears to avoid this. | | It would be interesting to see where SPN goes, and more on how | it works, as you say. | wmf wrote: | It doesn't even define the acronym! | dhaavi wrote: | Sorry about that. It's "Safing Privacy Network". | stusmall wrote: | I evaluated this a few months ago and absolutely loved it. It was | more polished and easier to use than I expected. Since the | website made a big deal about it being alpha I went in expecting | a little pain. | | The only major problem I hit was that everytime a snap would | update it would appear as a new application and I had to reapply | the rules. At the time there was a proposal for a change to fix | this but it hadn't been implemented yet. I think once that lands, | if it hasn't already, I'll be a loyal daily user. | | EDIT: Adding GitHub issue link | https://github.com/safing/portmaster/issues/398 | dhaavi wrote: | We have recently added a system to support these use cases. I | will see if we can add support for snap packages in the next | weeks. Now tracking this internally at CC#2632. | yewenjie wrote: | Still can't use it on NixOS :( | eckelhesten wrote: | Is this a per device client? Is it possible to say, run it on | Ubuntu as a server and have it handle the whole LAN? | dhaavi wrote: | This is client software. Everything is done locally. | | Except of course for the SPN, which has a growing network of | servers to relay traffic. | drdaeman wrote: | Is this installed specifically on the endpoints or can it be | installed on a network gateway (my edge router/gateway is a | GNU/Linux machine) to provide analytics and security for the | whole LAN? | | The website seems to be very light on any technical details, | doesn't give me a slightest idea how it operates. Looking at the | comments here I suspect it's a endpoint firewall using a VPN | (SPN) to tunnel all the traffic through a virtualized network | interface and apply rules and analytics to it. | dhaavi wrote: | It is installed on the endpoint. | | It integrates with nfqueue on Linux and a kernel extension on | Windows. It does not use a virtual interface. | | The SPN (Safing Privacy Network; VPN alternative) is optional. | | More details on the docs: https://docs.safing.io/ | ajolly wrote: | What's the performance impact on this, especially on windows? | | Also what would happen if I installed a Windows gateway, using | routing and remote access services, and then installed portmaster | on that? | | Overall this looks pretty awesome, and I'm excited to try it out. | | Oh and can I use this in conjunction with wire guard? How does it | play with other vpns. | dhaavi wrote: | Q: What's the performance impact on this, especially on | windows? | | Basically negligible. Secure DNS might be a bit slower and you | might feel some impact on low end devices. | | Q: Also what would happen if I installed a Windows gateway, | using routing and remote access services, and then installed | portmaster on that? | | You'd probably be cut off as incoming connections are blocked | by default. Please place a config with exceptions before | install or have (virtual) physical access when installing. | | Q: Oh and can I use this in conjunction with wire guard? How | does it play with other vpns. | | We have a whole page on that in the docs: | https://docs.safing.io/portmaster/install/status/vpn-compati... | Tarq0n wrote: | I've been using this for about a month and it's been excellent. | Actually dropped nextDNS for it, as my main need for nextDNS was | one windows desktop. | cynod wrote: | Was just reading their site and wondering about that myself. | But I use NextDNS on my router to cover all the devices on the | house and this seems individual client based. | | Still, I can run it on my main machine. | | The networking looks a great blend of onion routing and secured | connections. Really clever way of constantly changing a client | IP. As someone else noted it's like a client/outgoing version | of Cloudfare's DDoS mitigated network design. | Abishek_Muthian wrote: | Is this like OpenSnitch + PiHole combined? | ignoramous wrote: | Pretty much, yes. | Abishek_Muthian wrote: | I guess having it combined can have portability/mobility | benefits but other than that I doubt if the performance | benefits of OpenSnitch (or) ability to secure entire | network through PiHole is worth replacing. | ignoramous wrote: | You won't be wrong about that, but I like to think of | PortMaster as more of an open-source Glasswire | replacement that can also run on Linux. It is an | impressive piece of software nevertheless. | byteshock wrote: | I remember trying out Portmaster on Windows earlier this year. I | think Portmaster was running a local DNS server to see what | connections were being made. This interfered with my VPN, | Mullvad, which was trying to use a remote DNS server. | | Does Portmaster still require a local DNS server? I've been an | avid user of Glasswire for years and it works flawlessly with my | VPN. But i would love to switch to a open source alternative. | dhaavi wrote: | Portmaster still (and probably always will) require a local DNS | server. Why? Because there is not always and will be less ways | in the future to find out which Domain an IP address belongs | to. | | GlassWire will probably become quite blind as soon as TLS1.3 is | rolled out and working as intended. | | I will look into Mullvad compatibility again in the coming | weeks. I think they also improved some stuff on their side. | | User from 2 weeks ago: "Can confirm that Portmaster V.1.0.0 | with Mullvard V2022.4 DNS set to 127.0.0.1 and the same setting | on the netwerk controller both can life together." from | https://github.com/safing/portmaster/issues/313 | byteshock wrote: | Awesome, thank you for the reply. Will try out Portmaster | again! | nohankyou wrote: | I remember using Postmasters (PM2E) for router serial | connectivity, good times. | NateLawson wrote: | Yeah, the ISP I founded in 1995 (elite.net) was a PM2ER for | both dialup and routing with a Pentium 90 as the shell & web | server. We quickly hit the 30 line limit and went up to the | PRI-based Portmaster models. Fun and exciting times, just | bringing a rural community online for the first time ever. | jonhohle wrote: | Ooh, an article about portmaster(8)! Oh, not portmaster(8) | | 0 - | https://www.freebsd.org/cgi/man.cgi?query=portmaster&sektion... | js2 wrote: | Also not PortMaster. | | https://archive.org/details/h42_Livingston_Enterprises_PortM... | [deleted] | beezle wrote: | Lol I was just thinking the same thing. Why do I think this is | going to end badly? | agilob wrote: | Yghm... can I run it on kubernetes? | dhaavi wrote: | It's a software for clients / desktops. | agilob wrote: | Can't be run network wide on kubernetes or router? Then it's | not a competitor to pihole? | dhaavi wrote: | Well, that depends on the use case. You might call it an | indirect competitor. | senden9 wrote: | Right. Other use case. PiHole is setup for network | normally. This solution is personal desktop firewall. So it | has more access to information, but is also easier | breakable (like break thru) for "bad" software on your PC. | deluxeroyale wrote: | Been looking for something like this for my windows computer. | Little Snitch has been invaluable over the years but never found | anything that covers it's features for windows | alibert wrote: | If you are looking for a simple and light firewall (but still | better than Windows Firewall), I recommend using Simplewall. It | does not require a kernel extension and works with the API | provided by Windows to do network filtering. | | https://github.com/henrypp/simplewall | dhaavi wrote: | We have a blog post about this, if anyone is curious: | https://safing.io/blog/2022/04/11/portmaster-vs-simplewall/ | DavideNL wrote: | > _Please note that pretty much all the DNS leak detection tests | by the VPN providers will be a false positive, as the only thing | they check is if you are using their DNS servers. Rest assured | that your DNS queries are well protected by the Portmaster and | there is no need to be concerned._ " [1] | | That's a confusing statement... does this mean they change your | DNS server/provider by default, if you are using a VPN? | | [1] https://docs.safing.io/portmaster/install/status/vpn- | compati... | byteshock wrote: | I think it's because SPN uses a different IP/node per | connection you make. DNS leak detection tests will ask your | browser to resolve unique subdomains. If the DNS server that | requests the lookup is different from your connecting IP to the | website, they will say you have a DNS leak. | | https://security.stackexchange.com/questions/42752/how-does-... | dhaavi wrote: | That would be true if would be resolving all DNS yourself. | Nowadays everyone uses a recursive resolver. See my other | answer for details about this case. | dhaavi wrote: | Pretty much all VPNs use their own DNS servers. Their "DNS Leak | Tests" just check if queries come from that DNS server. | | Portmaster overrides any custom DNS server and enforces the | ones the user set - or are set by default. This "breaks" the | VPN leak test. | | You'd need to use a leak test from the DNS provider for it to | work. | | Thanks for the feedback. I will look into improving the text. | DavideNL wrote: | > " _overrides any custom DNS server and enforces the ones | the user set - or are set by default_ " | | If Portmaster " _enforces DNS servers with the ones that are | set_ ", after installing Portmaster and without the user | changing anything, i'd say that's a decrease of privacy; | | Your VPN provider can see your traffic in any case (even when | you're not using their DNS server.) So, if Portmaster would | change this to whatever your default is (Cloudflare, Google, | etc.), people are then suddenly sharing their DNS requests | with yet another 3th party. | dhaavi wrote: | There is a welcome screen that informs you of Portmaster | handling and securing DNS queries with the option to change | the provider. | | But especially with a VPN the privacy is increased as it | effectively becomes DNS-over-TLS/HTTPS-over-VPN. The VPN | still sees your destination IP addresses, so the privacy | improvement is not increased by a lot, but still. | DavideNL wrote: | > with the option to change the provider. | | Ah right, that sounds good. So the user is aware of it. | | > _But especially with a VPN the privacy is increased as | it effectively becomes DNS-over-TLS /HTTPS-over-VPN._ | | I disagree; VPN providers use an internal IP as DNS | server and your connection to this DNS server goes | through a secured VPN tunnel anyway. | | So, by sharing your DNS requests with an external 3th | party you gain nothing, and it's even a decrease of your | privacy since now Google/Cloudflare/etc collects all | these requests. | tfigment wrote: | I've been using for about 6 months and I think its a good | product. I suddenly needed a new firewall as Comodo Firewall | doesn't work well with VPN I have to use (it cannot block | anything). This stepped up like a champ in preventing unwanted | networking behavior from Microsoft and others. The Notify Task | has some times been weird but 1.0 seems to work well for me. The | fact that i can point at my local DNScrypt instance is nice. I | need to explore SPN more and see if it would work better than VPN | for me or not. | ike0790 wrote: | This is awesome. Definitely gonna check it out... | jeroenhd wrote: | Definitely one of the best firewalls for normal people on Linux. | (g)UFW is nice and easy but very basic. Portmaster is a lot | closer to the firewalls you may find for Windows that list | applications and their statistics/configuration. | | My only problem with it is that under heavy load the DoH server | dies or gets stuck at 50% CPU for me. It also hangs my custom | DoT/DoH solution for some reason but that's not a Portmaster | problem. | dhaavi wrote: | Thanks! That's exactly what we are aiming for! | | About your DNS issues: Have you opened an issue on GitHub yet? | jeroenhd wrote: | I haven't had time to debug this issue yet, it mostly occurs | when I'm busy with more important stuff so I usually just | restart the service one or twice to get the process to | behave. | | I'll try to remember to collect the logs next time it happens | so I can open a useful issue. | mcc1ane wrote: | What's SPN? | toomanyusers wrote: | I found a blog post (https://safing.io/blog/2022/09/06/spn-vs- | vpns/), but you have to go fairly far down the page (to the | header "Cryptographic Identity Protection") to begin to get the | gist of what it is. | | "This was originally invented for Tor and is called Onion | Routing. This way, every server in the chain only knows the | previous and the next hop. No server ever knows who you are AND | where you are going to." | | "As VPNs are centralized, all their servers are operated by | only one entity - the VPN provider itself. They can, therefore, | monitor all you traffic and see what you are up to. This is why | they tout their "No Logging" policies so loudly, because they | know they can see everything." | | "SPN on the other hand invites the community to join the | network and strengthen it by adding diversity to the operators | of the network. This way - in addition to the cryptographic | protections - it is made almost impossible that anyone will | ever be able to track you through the SPN." | | It sounds like it is a next-gen VPN service which addresses the | shortcomings of the current VPN services by splitting the | service into relays and exits, each with limited knowledge and | each potentially operated by different parties. | dhaavi wrote: | CTO of Safing here. | | Came back to answer the question and you beat me to it! | Thanks! | | SPN (Safing Privacy Network) aims to fill the area between | VPNs and Tor. VPNs provide very little real privacy and Tor | is (outside Tor Browser) very difficult to setup and | configure. | | With the combination with the Portmaster (which is also | firewall), we provide superior privacy to any VPN and offer a | 1-click install for a software that you cannot mis-configure. | | If you have any questions, please ask! | stusmall wrote: | Another product from them: https://safing.io/spn/ | xcambar wrote: | This. | | I have followed multiple links, never able to find the | expansion of the acronym. So weird. | dhaavi wrote: | Huh. Thanks, I will check that we explain that better. | janka102 wrote: | I also couldn't find it on their website, but their GitHub | says it means Safing Privacy Network. | https://github.com/safing/spn/ | Matl wrote: | Is there a way to use this as 'just a firewall'? Not touching my | DNS config or preventing VPNs from setting their own etc.? | pyinstallwoes wrote: | Yea I've done that. | metadat wrote: | Are there any plans for a Mac version? | | Pretty cool that both Windows and Linux both are supported and | already exist. Keep up the good work! | | I also appreciate the easy to read and clear privacy policy about | what telemetry and data this SaSS platform collects and how it is | handled. | | https://safing.io/privacy/#article-1-where-we-collect-datapi... | CharlesW wrote: | For macOS I can strongly recommend Little Snitch. It's not open | source, but I like that it's not subscription software and | doesn't collect personal data. | https://www.obdev.at/products/littlesnitch/index.html | zikduruqe wrote: | I've been running LuLu and it works great. | | https://objective-see.org/products/lulu.html | CharlesW wrote: | I love everything Objective-See makes too. Glad you | mentioned them! | krono wrote: | FYI: It comes with opt-out Sentry crash reporting. | | Edit: Shipping such a component enabled by default might be | unexpected for applications of this nature and easily | overlooked, which is why I mention it. | cvwright wrote: | Why is "not subscription software" necessarily a good thing? | | Don't you want to be the customer rather than the product? | metadat wrote: | Little Snitch still costs money, it's just a different | licensing model. It's not SaSS, so only a one-time fee to | purchase for the tool. | | The reason I'm open to paying a monthly fee for a SaSS | offering is to keep getting new features and timely | security updates, and support ensuring the recurring | expense aspects of the service can stay alive. It's not | entirely clear to me yet why PortMaster needs to be a SaSS, | but it's not implausible. | | I don't have any Windows or Linux desktop machines in | regular use currently, looking forward to trying this out | once the Mac version exists. | CharlesW wrote: | > _The reason I 'm open to paying a monthly fee for a | SaSS offering..._ | | To clarify, I'm absolutely _not_ subscription shaming, | and I understand that startups are effectively forced to | use a SaaS model in order to attract investors. | CharlesW wrote: | > _Why is "not subscription software" necessarily a good | thing?_ | | I personally consider that a "pro". You may not have | experienced subscription fatigue yet, which is great. | | > _Don't you want to be the customer rather than the | product?_ | | You may have misunderstood -- Little Snitch is a _paid_ | product that collects no data. | cvwright wrote: | That makes sense. Thanks! | simjnd wrote: | They have considered it and say they will invest in it "once | they have the resources" [1]. So I wouldn't expect it anytime | soon at all. | | [1]: https://docs.safing.io/portmaster/install/status/mac | | EDIT: Added link to source | maxcx wrote: | Pretty interesting. Would love to see if users can choose their | own servers as the underlying identity pool. PS: SPN: Safing | Privacy Network, https://github.com/safing/spn | dhaavi wrote: | You can add your own servers to the network as community nodes. | [0] | | For privacy, you never want to be the only person using a | server. | | [0] https://docs.safing.io/spn/hosting-a-community-node | spansoa wrote: | I installed this about six months ago on Ubuntu 18 and it hanged | when I launched. Has this been ironed out? I might try again. If | I'm having issues, I'll submit an issue on Github. Was it tested | on Ubuntu 18? BTW: I have to use Ubuntu 18 since version 20 is | not compatible with my machine (some BS about NVIDIA drivers | crashing the OS) | dhaavi wrote: | We have improved a lot since then. Please try again and open an | issue on GitHub if something does not work - as you said. | | Linux install options: | https://docs.safing.io/portmaster/install/linux ___________________________________________________________________ (page generated 2022-11-05 23:00 UTC)