Portmaster Firewall (Alpha stage)

[davegson]

Newest Portmaster version v0.22 just got out on "Beta". You will have to set your Release Channel to "Beta" in order to receive the update (for now). The Network Rating - as well as other complicated areas - now have explainer pop-ups attached to them. Would be great to hear your input on this! @valvaris & others

Also, you can now report issues or suggest features from within the Portmaster - with or without a GitHub account



really looking forward to hearing what you all think!

 

[Kongo]

Newest Portmaster version v0.22 just got out on "Beta". You will have to set your Release Channel to "Beta" in order to receive the update (for now). The Network Rating - as well as other complicated areas - now have explainer pop-ups attached to them. Would be great to hear your input on this! @valvaris & others

Also, you can now report issues or suggest features from within the Portmaster - with or without a GitHub account

View attachment 260283

really looking forward to hearing what you all think!

I’m on holiday at the moment but I think I’ll have to try the new version too when I’m back. Thanks for keeping us updated!

 

[Zorro]

Has anyone tried installing this firewall on Kubuntu? Are there any problems?

 

[davegson]

Has anyone tried installing this firewall on Kubuntu? Are there any problems?

there have been community reports that Portmaster works on KDE Plasma in our compatibility section:

Install on Linux - Safing Docs

Documentation for Safing Portmaster

docs.safing.io

In the related GitHub issue somebody also reports in from kubuntu, so you should be fine there. If things changed - though unlikely - just let us know!

 

[AtlBo]

Hello and thanks. I really like this app, but the system "app" icon in the ui seemed to disappear after awhile for me. Don't know if this is normal. I thought the system was always connected.

One difficulty I had was with using connection sharing. I use this PC (with Portmaster) to port the internet to a connected (via ethernet) PC. I ran into this issue using Private Firewall in the past and could not use the program. There was a complicated workaround with Private Firewall that involved I believe 5 rules, but I wasn't sure it could be done safely. Any chance you could add a setting for allowing "This PC to share its internet connection"? Perhaps you could somehow link to the Windows setting for allowing connection sharing also.

Looks very good. Thanks.

 

[Zorro]

In the related GitHub issue somebody also reports in from kubuntu, so you should be fine there. If things changed - though unlikely - just let us know!

After installing on Kubuntu 20.04 I saw one problem. The problem is that after the restart, Portmaster resets the network profile to Trusted (Home network), although I set the Untrusted (Public network) profile before the restart. And if you set the Untrusted level again, then after rebooting the program will change it back to Trusted. Maybe there is already some solution to this problem?

 

[Zorro]

The system tray icon is VERY BIG! It is about twice the size of all other icons Maybe this is a "highlight", but in a number of other icons it does not look very nice

 

[Zorro]

there have been community reports that Portmaster works on KDE Plasma in our compatibility

A lot of zombie processes from Portmaster hang in the Linux system monitor. This is normally?

 

[davegson]

Any chance you could add a setting for allowing "This PC to share its internet connection"? Perhaps you could somehow link to the Windows setting for allowing connection sharing also.

thanks for giving the PM a go @AtlBo - I'll forward this to the devs who can better respond in the coming days.

The system tray icon is VERY BIG! It is about twice the size of all other icons Maybe this is a "highlight", but in a number of other icons it does not look very nice

That is not an intended "highlight". Others have had a more extreme version of this bug happen - check it out in that issue you can also read into what might fix the issue, depending on your system's library versions

The problem is that after the restart, Portmaster resets the network profile to Trusted (Home network), although I set the Untrusted (Public network) profile before the restart.

I can easily reproduce this - definitely an oversight. I created a bug report to properly track this issue.

A lot of zombie processes from Portmaster hang in the Linux system monitor. This is normally?

also pinging the devs to come back to this one.

Thanks folks for all the input!!

 

[Zorro]

That is not an intended "highlight". Others have had a more extreme version of this bug happen - check it out in that issue you can also read into what might fix the issue, depending on your system's library versions

I can easily reproduce this - definitely an oversight. I created a bug report to properly track this issue.

also pinging the devs to come back to this one.

Thanks. Hopefully the portmaster resetting the network status will be fixed, although your colleague does not consider it a bug This is definitely an oversight. I do not know of a single firewall that would itself change the status of the network, despite the status that the user assigns.
With the icon there, everything is difficult for me, since I am not an advanced Linux user Let it be as it is, otherwise I will make myself even more problems
I hope that you will deal with zombies too Maybe because of these processes, Kubuntu began to turn off longer. After installing Portmaster, the system shutdown process took three times longer. If earlier Kubuntu turned off completely in about 10-12 seconds, now it turns off for as long as 30-33 seconds. The system boot process also took about 20 seconds longer.
It is probably too early to talk about the protection of the IPS / IDS. But it would be nice if something like this appeared sometime in the future.
In the Portmaster network monitor, rather detailed information is given about each connection, but it could be done so that in each case Portmaster for each connection would offer a link to a resource that gives even more information, for example, "whois".

 

[dhaavi]

pinging the devs

pong

Any chance you could add a setting for allowing "This PC to share its internet connection"? Perhaps you could somehow link to the Windows setting for allowing connection sharing also.

I don't know on which network level Windows implements this. As the Portmaster blocks incoming connections by default, you'll need to allow that IP address to open connections to your PC. You can do this by either locking for the blocked connection in the Network Monitor and allow that, or just allow that single IP address to the Incoming Rules in the global settings.

Portmaster resets the network profile

This is on track now. The reason that this was not the expected case until now, is that we expect the network rating levels to be mostly controlled by the Portmaster itself by detecting a change in the environment or detecting threats - which is yet to be implemented. With the network rating being a manual thing for now, this of course makes a lot of sense.

A lot of zombie processes from Portmaster hang in the Linux system monitor. This is normally?

No - nice find! I opened an issue: Notifier does not correctly release UI sub process resources · Issue #166 · safing/portmaster-ui

After installing Portmaster, the system shutdown process took three times longer.

This might be caused by nameserver: timed out while waiting for stopfn/workers/tasks to finish · Issue #386 · safing/portmaster - fix in progress.

The system boot process also took about 20 seconds longer.

This is interesting. I will look out for this in the future.

It is probably too early to talk about the protection of the IPS / IDS.

PoC with portscan detection, HTTP and TLS parsing, cert checking, UPnP privacy filtering, ... - no ETA: Adaptive Protection Module by dhaavi · Pull Request #92 · safing/portmaster
(We had to PoC-finish this for completing a funding grant - now on hold again.)

Portmaster for each connection would offer a link to a resource that gives even more information, for example, "whois".

Great idea! I will bring this up with the team.

 

[Zorro]

pong


I don't know on which network level Windows implements this. As the Portmaster blocks incoming connections by default, you'll need to allow that IP address to open connections to your PC. You can do this by either locking for the blocked connection in the Network Monitor and allow that, or just allow that single IP address to the Incoming Rules in the global settings.


This is on track now. The reason that this was not the expected case until now, is that we expect the network rating levels to be mostly controlled by the Portmaster itself by detecting a change in the environment or detecting threats - which is yet to be implemented. With the network rating being a manual thing for now, this of course makes a lot of sense.


No - nice find! I opened an issue: Notifier does not correctly release UI sub process resources · Issue #166 · safing/portmaster-ui


This might be caused by nameserver: timed out while waiting for stopfn/workers/tasks to finish · Issue #386 · safing/portmaster - fix in progress.


This is interesting. I will look out for this in the future.


PoC with portscan detection, HTTP and TLS parsing, cert checking, UPnP privacy filtering, ... - no ETA: Adaptive Protection Module by dhaavi · Pull Request #92 · safing/portmaster
(We had to PoC-finish this for completing a funding grant - now on hold again.)


Great idea! I will bring this up with the team.

Thanks for answers. Only I didn't understand all the abbreviations. I don't know what ETA is. Another proposal could be implemented in the Portmaster to implement a monitor showing open and closed ports, especially noting the state of ports vulnerable to attacks. And also monitor the speed of outgoing and incoming traffic in real time.

 

[davegson]

I don't know what ETA is.

it means Estimated Time of Arrival - but yeah, most abbreviations are not obvious...

Another proposal could be implemented in the Portmaster to implement a monitor showing open and closed ports, especially noting the state of ports vulnerable to attacks.

Could you maybe create a suggestion via GitHub or from within the Portmaster itself? It's easily getting lost here.

And also monitor the speed of outgoing and incoming traffic in real time.

From what I recall this is already planned.

thanks for the suggestions!

 

[Zorro]

Could you maybe create a suggestion via GitHub or from within the Portmaster itself? It's easily getting lost here.

I'll think about it. They said that version 6.22 is already a beta version. There is still a notice on the alpha version on the official website. When is the next software update scheduled?

 

[petok]

I think portmaster firewall will be boss soon and who will replacement mWFC.

 

[davegson]

they said that version 6.22 is already a beta version. There is still a notice on the alpha version on the official website

Wording can be a bit confusing. The Portmaster software generally is in alpha, and will only migrate into beta once we achieved our goals for it (overall stability & better clarity for users).

However, the releases of the Portmaster use standard release vocabulary:

- the stable release channel (default) always grabs the latest stable release
- the beta release channel is used for testing features before all our users get them. I assume this community overlaps a lot with our beta testers.

We just went over the GitHub releases to make things clearer in that regard. Now the current stable release - v0.6.22 as of today - is marked as "Latest release" on GitHub, while beta releases are marked as "Pre-release". Hope that makes sense.

As of the next stable release, it should happen in the next two weeks. The v0.7 series includes a much better monitoring UX, lots of stuff in regards to the SPN and a plenty of bug fixes as well. Naturally you can easily grab features early by switching your Release Channel.

I think portmaster firewall will be boss soon and who will replacement mWFC.

Glad to hear your positivity! doing our best to push things forward. Honestly, the next months will be exciting. SPN development got beyond the "big chunk" which now allows us to take things more iteratively and hence faster I assume. We shall see.

Have a good one everyone!

 

[SpiderWeb]

No Mac version :/

 

[davegson]

No Mac version :/

you can check out the macOS status page for more info on that note. But in the end, it comes down to limited resources. As a small, independent team, we have to cut corners somewhere. I can warmly recommend LuLu or Little Snitch in the meantime.

 

[SpiderWeb]

you can check out the macOS status page for more info on that note. But in the end, it comes down to limited resources. As a small, independent team, we have to cut corners somewhere. I can warmly recommend LuLu or Little Snitch in the meantime.

Thank you. I use nextDNS logs and Analytics as my quasi-firewall right now along with the built-in firefwall set to never allow inbound connections.

 

[CyberDevil]

Glad to hear your positivity!

I went back to PortMaster when I started having problems with pings to DNS through the built-in browser mechanisms + YogaDNS at the system level. It's good to see the project evolving. With Windows 11 + Eset there are no problems.

But I'm surprised that you still haven't fixed the context menu at the tray icon. It gets too big from time to time.

It would be nice if it also will support the dark theme.

Also maybe you should reduce the query interval for searching for updates? So that even after a short disconnect from the Internet, for example when I disconnected from the hotspot while going to another university classroom, Portmaster does not immediately display an update error message?

One more suggestion: you could add a handy interface to connect to DNS servers like NextDNS, like YogaDNS has. Right now I have to form a connection string manually, and I get the IP address for it by pinging the DNS server, but I'm not sure if that IP is static, which could probably cause a problem, also I can't send the client machine name, so I see my laptop as an unknown device in the NextDNS logs.