Portmaster Firewall (Alpha stage)

[davegson]

I actually stopped using it at v1.0.0

one of the main features I liked was the ability to set which DNS used on trusted/untrusted zones (this worked in 0.9.6)
so when i was on my trusted home network it would use my Pihole/Unbound recursive servers, and when away from home on public/untrusted networks that it used quad9 secure dns

this feature was deprecated in v1.0.0 so have removed it, but hope to try again in the future if the feature is reworked!

thanks for the input. We had more people care about this than we initially thought - our bad! - so we'll be bringing it back. Should be back in one of the next versions - just take note that in the future, once that feature gets replaced with a newer system, one will have to re-configure the different environments. (might still be a bit out though)

 

[kC77]

thanks for the input. We had more people care about this than we initially thought - our bad! - so we'll be bringing it back. Should be back in one of the next versions - just take note that in the future, once that feature gets replaced with a newer system, one will have to re-configure the different environments. (might still be a bit out though)

great thanks!

 

[silversurfer]

Portmaster 1.0 released: open source application firewall - gHacks Tech News

The release of the open source application firewall Portmaster 1.0 introduces new features and improvements to the program.

www.ghacks.net

Portmaster 1.0 extends the functionality significantly. The free version of the program has gotten more powerful, but there are also paid versions available that extend the functionality.

Free users may download and install Portmaster, and use it without an account. The application displays a short onboarding prompt on start, which configures main features, including use of secure DNS and blocking lists.

The interface has not changed all that much on first glance. The app divides the interface into three main panes. The first sidebar pane displays program features, the second the list of programs and services identified on the system, and the third details about your selection.

If you select a program from the list, you get detailed networking information. You see the list of allowed and blocked connections, and information on each individual connection. Individual connections may be blocked and the default global parameters changed and customized for this specific application.

There is a lot to explore here, but all of that is optional. Still, you could dive in and block certain traffic for that app. Don't want it to connect to a specific domain? You can make that change effortlessly.

Tech-savvy users find advanced options everywhere in the application. For application's alone, you may switch to blocking all connections by default and allowing select ones only, blocking LAN traffic, or configuring detailed inbound or outbound rules.

A big new feature in Portmaster 1.0 is what the developer calls Side-Dash. It enables you to "easily jump between apps to investigate their connections or quickly jump to their settings".

The free version of Portmaster is a powerful application firewall. Paid plans are available, which extend the functionality and finance development of the open source application.

A core feature is SPN, which stands for Safing Private Network. It is only available in the Unlimited package and allows users to assign one or multiple identities for applications.

You may use it to assign IP addresses to individual apps. Assign a French identity to Netflix, a Canadian to Spotify, and a United States identity to your browser using the feature. It is great for unblocking geographical restrictions or enabling access to content that is limited to certain regions.

According to Portmaster's developer, SPN traffic "goes through multiple servers and is encrypted in layers"; this is similar to how Tor works, as no server has access to the device's IP address and the destination.

 

[Zorro]

Also, I am super thankful to so many of you for testing and giving input on the software! And even though I and we did not manage to be as active as we hoped for - do know I do check and at least read the new posts on this thread on a regular basis. Would ofc do the same if a new thread were created.

Hello. Will there be a translation of the program into other languages?

 

[Back3]

Made an image of my system. Then, disabled NextDNS and Adguard in both Chrome and Edge. Installed Portmaster 1.0. With Quad9 at the beginning, then with Cloudflare. Got a 3 seconds delay in Chrome and a 2 seconds delay in Edge. Restored my image.

 

[davegson]

Hello. Will there be a translation of the program into other languages?

Yes, we plan to add accessibility features like multi-language support in the future. Cannot give you a date since we don't communicate timelines externally

 

[davegson]

Made an image of my system. Then, disabled NextDNS and Adguard in both Chrome and Edge. Installed Portmaster 1.0. With Quad9 at the beginning, then with Cloudflare. Got a 3 seconds delay in Chrome and a 2 seconds delay in Edge. Restored my image.

Thanks for the report. Our goal is to provide a great out-of-the-box experience for easy privacy - sorry to hear that did not work for you as expected. I know Windows still has some quirks, where we are currently working on improving the kernel integration. We take it step by step - you'll notice improvements in the longer run for sure!

 

[I Walk MY Way]

Portmaster really dislikes my VPN I use AirVPN with DNS blocking Which is probably the problem I cannot get AirVPN To connect at all. So that's something for you to look into To because if it's a choice between my VPN and port master It will be the VPN. ​

 

[davegson]

Portmaster really dislikes my VPN I use AirVPN with DNS blocking Which is probably the problem I cannot get AirVPN To connect at all. So that's something for you to look into To because if it's a choice between my VPN and port master It will be the VPN. ​

Hey there, the incompatibility is created when both Portmaster and a VPN client hook into DNS. Check your VPN app if you can somewhere disable DNS redirection.

Portmaster needs to hook into DNS in order to understand which connection goes where and to which app it belongs. Without it, users would have to start filtering by IP address, making PM basically useless.

Portmaster automatically secures DNS requests by encrypting them to a secured DNS resolver - which you can configure if you do not like the defaults. You can even set your VPN provider as the resolver if you want. We are all about empowering users.

VPNs, as yours, do sometimes hook into DNS too - creating the compatibility conflict. Their idea is that since you redirect all your normal traffic through them, you might as well redirect all your DNS to them too. Now that comes from good intentions - but if they do not provide a way to disable this behavior, then this goes against user choice.

There sadly is not much we can do than to ask VPN providers to empower users and allow them to disable their DNS integration.

An alternative for technical users like the folks at MalwareTips is to set up Portmaster with the OpenVPN workaround:

VPN Compatibility - Safing Docs

Documentation for Safing Portmaster

docs.safing.io

Hope this explains the situation.

 

[I Walk MY Way]

@ davegson
Thank you for your brilliant answer

 

[CyberDevil]

I wonder if PortMaster is still unable to block an application from accessing the network before it connects to the network for the first time?

 

[davegson]

I wonder if PortMaster is still unable to block an application from accessing the network before it connects to the network for the first time?

Short answer:

• Linux: Portmaster boots before OS accesses network
• Windows: currently, some system services have a head start before PM

Details are listed here:
Docs - FAQ - Does Portmaster Protect on Startup

(edit: hope this answers your question - just realized you could have meant something else)

 

[CyberDevil]

(edit: hope this answers your question - just realized you could have meant something else)

No, I asked about the ability to block a new application from accessing the network before it runs. For example, if I install some unknown application that obviously doesn't need the Internet, it's safer to disable it right away. This is a popular case of using a firewall in my practice. You once said that you would think about adding this functionality in the future, if I'm not mistaken.

 

[ForgottenSeer 69673]

Why is the one of the few programs left to require a reboot to install?

 

[davegson]

No, I asked about the ability to block a new application from accessing the network before it runs. For example, if I install some unknown application that obviously doesn't need the Internet, it's safer to disable it right away. This is a popular case of using a firewall in my practice. You once said that you would think about adding this functionality in the future, if I'm not mistaken.

Aah, yeah - after reading my response my gut told me I was off a bit haha. Anyway, yes, this is now possible. Within the App view, you can "Create Profile"

and then define metrics such as a path etc.

This is also useful to create profiles for apps which change the path after each updated version - previously you had to re-configure the settings after each update. Not anymore!

Why is the one of the few programs left to require a reboot to install?

First off, Portmaster integrates into the network stack, it is not an everyday app. Second, to be honest, on Linux this is not the case in 100% of the cases. We still communicate it like that though. Since Linux environments are vastly different, sometimes something somewhere just goes wrong. A reboot fixes a lot of the quirky issues, so we advise everyone to reboot to have a "clean slate" after install. This saves us and the users plenty of time bug hunting when a reboot would just suffice. The same applies for uninstall. Here are examples what might just not work as intended on uninstall:

FAQ: Why is my Internet or Network Access broken after shutdown or uninstall? · Issue #699 · safing/portmaster

While Portmaster integrates deeply into the network stack of your operating system, all of it is volatile - meaning that it is automatically removed when Portmaster shuts down or when Portmaster is...

github.com

 

[ForgottenSeer 69673]

First off, Portmaster integrates into the network stack, it is not an everyday app. Second, to be honest, on Linux this is not the case in 100% of the cases. We still communicate it like that though. Since Linux environments are vastly different, sometimes something somewhere just goes wrong. A reboot fixes a lot of the quirky issues, so we advise everyone to reboot to have a "clean slate" after install. This saves us and the users plenty of time bug hunting when a reboot would just suffice. The same applies for uninstall. Here are examples what might just not work as intended on uninstall:

OK I understand PM should not be used every day
Most main stream security software does not require a reboot any longer to install. That was a suggested requirement back in the day but not nowadays, unless we are talking a persistent seeking malware LOL
Just to let you know, I have been around much longer than most members at the coveted Wilders and here @ MT. In fact, I was one of the original 1000 members @ Wilders. Just to let you know. I will never touch Wilders again with a 10-foot pole!!!

 

[davegson]

OK I understand PM should not be used every day

lol, good one! : )

But do you understand why we communicate it like that, even if not fully true for Linux?

And if you dislike PM because of that, that's fine - one shoe does not fit all.

 

[CyberDevil]

@davegson It seems that the bypass blocking does not work for firefox in version 1.04. NextDNS configured in Firefox itself continues to work and blocks hosts.

 

[CyberDevil]

@davegson Judging by the logs of my NextDNS the first couple of minutes after computer waking up DNS requests go directly, not through Portmaster, as it is shown in my logs corresponding to it. Maybe the program needs some kind of Killswitch at system startup (at wakeup)? The fact that requests are not filtered for a couple of minutes looks like quite unreliable for those who want to build their security model based on your product.

In the screenshot you can see that the requests came from an unidentified device, that is, not by DOT/DOH, further they already come from Portmaster.