Portmaster Firewall (Alpha stage)

[Zorro]

As of the next stable release, it should happen in the next two weeks. The v0.7 series includes a much better monitoring UX, lots of stuff in regards to the SPN and a plenty of bug fixes as well. Naturally you can easily grab features early by switching your Release Channel.

Good. Let's wait for the update!

One more suggestion: you could add a handy interface to connect to DNS servers like NextDNS, like YogaDNS has. Right now I have to form a connection string manually, and I get the IP address for it by pinging the DNS server, but I'm not sure if that IP is static, which could probably cause a problem, also I can't send the client machine name, so I see my laptop as an unknown device in the NextDNS logs.

I noticed one moment. After installing Portmaster, a huge number of blocked requests to the server one.one.one.one appeared in the Next DNS log. (1.1.1.1) marked as a bypass method. Every 30 seconds, such a request is sent from the device. Do you have the same situation in the logs of the Next DNS?

 

[CyberDevil]

After installing Portmaster, a huge number of blocked requests to the server one.one.one.one appeared in the Next DNS log.

I have only 4 such requests in a day, but I have not activated the setting in nextdns to block bypass methods. Maybe you have so many entries in your logs because portmaster is trying to find out the ip address for the first connection to the DOT from 1.1.1.1 and you won't let it do that, which will loop the process.

 

[Zorro]

I have only 4 such requests in a day, but I have not activated the setting in nextdns to block bypass methods. Maybe you have so many entries in your logs because portmaster is trying to find out the ip address for the first connection to the DOT from 1.1.1.1 and you won't let it do that, which will loop the process.

Perhaps you are right, I will not say for sure, because I don’t know Maybe the Portmaster developers will explain here what this means.

 

[Zorro]

I have only 4 such requests in a day, but I have not activated the setting in nextdns to block bypass methods.

I disabled this setting (bypass method) in the Next DNS and see how the situation changes, whether there will be the same large number of requests from the system.

 

[davegson]

Hey there @CyberDevil,

thanks for all the input - great to hear things are smooth for the most part!

But I'm surprised that you still haven't fixed the context menu at the tray icon. It gets too big from time to time.
It would be nice if it also will support the dark theme.

In terms of the tray menu, yeah , that is ugly. This is triggered by the long error message which then loads the maximum width it can get. We need to cut off or shorten the texts in these cases.

Though honestly it is more likely that will be fixed when Portmaster reaches Beta. Same goes for the dark mode fix. In Alpha we are focusing on (1) technical stability and (2) meeting user expectation better/clarity. As we migrate into Beta, we will then focus more on ironing out the UI/UX stuff.

Also maybe you should reduce the query interval for searching for updates? So that even after a short disconnect from the Internet, for example when I disconnected from the hotspot while going to another university classroom, Portmaster does not immediately display an update error message?

The update check happens once an hour OR when you get online. You can read more about why here.

I talked with Daniel whether or not we maybe should replace the "OR" logic with an "AND". I feel your situation and it does seem annoying, however Daniel was a bit cautious about adding more logic into this. It is not simply about changing an operator. I am unsure whether getting off/on the Internet in a frequent interval is an edge case or something people stumble upon more often, which could justify the added logic.

And I must ask, could solving the error behind the error message solve this annoyance for you? Are you primarily concerned about the query interval or the error? Happy to hear thoughts from others on this topic as well.

One more suggestion: you could add a handy interface to connect to DNS servers like NextDNS, like YogaDNS has. Right now I have to form a connection string manually, and I get the IP address for it by pinging the DNS server

I did check the YogaDNS screenshots and it does seem handy, but from our perspective this opens up a can of worms. Which providers get those fancy buttons? Are those trustworthy? Do they respect user privacy? What happens if one of those are involved in a scandal? Our reputation is at stake too. That is why we went for a limited choice and explained that choice in detail.
And to still empower user choice, we have a dedicated docs site to help with all the other options, alongside NextDNS. But since I assume you did not know about this yet we should probably rethink how to improve linking to those resources...

I'm not sure if that IP is static, which could probably cause a problem, also I can't send the client machine name, so I see my laptop as an unknown device in the NextDNS logs.

As far as I can tell IPs from DNS providers are static, at least it is in the interest of the provider. In many systems you have to manually add the IP. In terms of sending the client machine name not working, could you maybe chime in and re-open this GitHub issue to further describe what does not work.

 

[davegson]

Hey there @SFox,

thanks for inspecting the PM and your input too, super appreciated!

I noticed one moment. After installing Portmaster, a huge number of blocked requests to the server one.one.one.one appeared in the Next DNS log. (1.1.1.1) marked as a bypass method. Every 30 seconds, such a request is sent from the device. Do you have the same situation in the logs of the Next DNS?

Yes, as @CyberDevil assumed the blocking triggers a loop. I also went over this with Daniel and referenced these two code parts triggering this. [1], [2]

How to best resolve this issue is too straight forward, as it has technical and privacy implications. Daniel is much better equipped to give more details and he will chime in with a response later, likely next week.

Have a good weekend all!

 

[Zorro]

Hey there @SFox,

thanks for inspecting the PM and your input too, super appreciated!

Yes, as @CyberDevil assumed the blocking triggers a loop. I also went over this with Daniel and referenced these two code parts triggering this. [1], [2]

How to best resolve this issue is too straight forward, as it has technical and privacy implications. Daniel is much better equipped to give more details and he will chime in with a response later, likely next week.

Have a good weekend all!

Hi. Thanks for the kind words.
Does this blocking somehow affect the work of the Portmaster? I disabled the bypass function in the Next DNS settings, as I thought that perhaps this blocking could somehow negatively affect the Portmaster's work. But for other users, perhaps this option is important in the Next DNS, and if they use Portmaster, they will have the same problem.

 

[Zorro]

Yes, as assumed the blocking triggers a loop.

Hi. Remember when I wrote about zombie processes in the Linux system monitor? Apparently, they were related to the enabled blocking option in the Next DNS. As soon as I turned off this option, the zombie processes no longer appear in the system monitor. Apparently they were related to a process loop caused by a lock.
There was also a small problem. The program icon from the system tray began to disappear from time to time. After reboot, it reappears, but after 2-3 system boots, it may disappear again. As for the rest, I do not see any visible problems yet.
I hope that in the future the program will show the amount of incoming / outgoing traffic for each program and the speed of the Internet connection.
I read information on the official website, read discussions on other forums. And if I understood correctly, at the moment Portmaster does not protect (and does not even notify the user) ports from being scanned by special programs (for example, Nmap)?

 

[dhaavi]

Thanks all for your great feedback and questions! Please ping me if I missed to cover a technical question below that you wanted an answer to.

The update check happens once an hour OR when you get online.

With the fix mentioned below, we fixed an issue with the Portmaster not correctly detecting connectivity. It may have detected connectivity too early in the past, meaning it would attempt to update when there is not connection yet. So, this _might_ work a lot better now.

Yes, as @CyberDevil assumed the blocking triggers a loop. I also went over this with Daniel and referenced these two code parts triggering this. [1], [2]

We use one.one.one.one -> 1.1.1.1 as a check if DNS resolved correctly during connectivity testing. What we like about using one.one.one.one is that (1) it is not suspicious - we don't like to broadcast to the network that the Portmaster is running on a device - and (2) the returned IP address will (very likely) never change.
We did not think about other systems blocking that domain though, which caused the Portmaster to retry it.

This problem reached us in a fortunate time window and we have already implemented and released a fix for that: If resolving one.one.one.one is not successful, we now use dns-check.safing.io as a fallback, which makes it obvious the Portmaster is at work, but we need a guarantee on the returned IP address for the check to reliably work.

Does this blocking somehow affect the work of the Portmaster?

No, there was no impact, just that the Portmaster would think it is only "semi online". But, as laid out above, this should now be resolved anyway.

Remember when I wrote about zombie processes in the Linux system monitor? Apparently, they were related to the enabled blocking option in the Next DNS. As soon as I turned off this option, the zombie processes no longer appear in the system monitor.

Interesting. From what I saw when I looked into this, this should not be related.

The program icon from the system tray began to disappear from time to time. After reboot, it reappears, but after 2-3 system boots, it may disappear again.

Until now we've only had problems with the Tray Notifier appearing multiple times. We use a PID-lock for the notifier - what could have happened is that the notifier failed to clean up after itself (hard shutdown?) and then PID of the old PID-lock of the notifier was taken by another process, letting the notifier think that there is already an active instance running.

I hope that in the future the program will show the amount of incoming / outgoing traffic for each program and the speed of the Internet connection.

We definitely want to do this, but this isn't easy to do while keeping things fast as they are. On Linux, we'd have to find a whole new way to interact with the network stack, on Windows we'd need to add support for counting data in the kernel extension. So, it'll come, but it'll take some time.

And if I understood correctly, at the moment Portmaster does not protect (and does not even notify the user) ports from being scanned by special programs (for example, Nmap)?

What do you mean exactly by "protect"? We cannot stop packets from arriving at your device.
Currently, the Portmaster drops incoming packets it does not allow, meaning that a scan will be not be able to see open ports that are not allow to accept connections by the Portmaster. In my opinion, that ticks the "protect" box.
In addition, we have a portscan detection system in progress (no ETA! [Estimated Time of Arrival]), which will outright block all communication with an IP that is scanning your device, even when scanning allowed ports. This will also have notifications.

 

[Zorro]

What do you mean exactly by "protect"? We cannot stop packets from arriving at your device.

By protection, I meant stealth mode. "In addition, we have a portscan detection system in progress" - maybe this is it.

This problem reached us in a fortunate time window and we have already implemented and released a fix for that: If resolving one.one.one.one is not successful, we now use dns-check.safing.io as a fallback, which makes it obvious the Portmaster is at work, but we need a guarantee on the returned IP address for the check to reliably work.

Fine. I will re-enable the bypass method in the Next DNS and see how things work.

Interesting. From what I saw when I looked into this, this should not be related.

Maybe this is not interconnected. But at the moment there are no zombie processes in the system monitor.

 

[Zorro]

Hey there @davegson and @dhaavi
A small idea came to mind. The indicator of Portmaster in the system tray is light green when everything is normal, and once I noticed a red color when the program was restarted, installing updates. There was such an idea. If Portmaster has three network zone modes (Trusted, Untrusted and Dangerous), then, perhaps, it would be more convenient for the user if the color of the indicator in the system tray corresponded to the network zone mode. For example, leave light green for the trusted zone, light yellow for the untrusted zone, and light orange for the danger zone. In case of any problems, malfunctions, leave the color red.
Thus, if the mode of the network zone changes, for example, automatically by the program itself, the user will be in the know. Or, for example, if a user comes with his laptop to a cafe and decides to use the free Wi-Fi, he will not forget to change the network zone mode when he sees that the green color corresponding to the Trusted zone is on, and needs to be switched to Untrusted.
It would be great if Portmaster, when connecting to a new unknown network, set the Untrusted zone mode by default, notifying the user about this in a pop-up notification lasting no more than 15 seconds and offering to change the mode for this network if the user wants it, and also to save the data. changes on a permanent basis, or save this mode for this network once, for the current session.
This is how it might look in practice. I use my laptop at home, where it is located behind the router, therefore, I am secure and on a Trusted network. I have a green Portmaster indicator in the system tray, and this network is entered in the Portmaster settings on a permanent basis as Trusted. When I take this laptop with me to the office and connect it to the Wi-Fi network in the office, Portmaster automatically changes the network zone mode to Untrusted, suggesting in a pop-up notification either save this mode for this network for one session, or remember this mode for this network on an ongoing basis, or classify this network as Trusted or Dangerous. Since I go to work all the time, I choose the untrusted network mode on an ongoing basis, and Portmaster in the future will already switch the mode from Trusted to Untrusted every time I connect to the Wi-Fi network in the office.
After work, on my way home, I decided to stop by a cafe for a snack. The cafe has free wi-fi, which I decided to use. The portmaster, having discovered a new network, displayed a notification as in the case of wi-fi in the office, but since I almost never visit this cafe (unlike in the office), I choose the Untrusted mode for this wi-fi network in the cafe for the current session only. Or I will select the Dangerous zone mode. The portmaster will not remember this network on a permanent basis, since I do not use this network all the time and I do not want the program to remember it. Each time the color of the Portmaster indicator will correspond to the network zone mode, and I will clearly see in which mode the program is running.
Thanks for reading

 

[davegson]

Hey @SFox, thank you so much for those thoughtful ideas!

First off, a feature to have Portmaster remember and auto-switch the network rating was planned from the get-go. But that feature had to be cut out due to other things being more important for the moment. You can find the "Auto Pilot" easter-egg when you switch to the "Developer UI Mode"

And sadly for you, it will probably take a while until our priority shifts to this. Especially with our most recent work where we will simplify the settings for normal users altogether in order to remove a big part of the learning curve. Meaning the default will be normal On/Off switches, and advanced users will have to enable Network Ratings / Threat Modeling. You can read up on that via the link in my next post.

However, what I really liked about your suggestion was the colored indicator showing in which Network Rating you are at the moment. You can click on the notifier to see this, but I agree, why click once when it would be possible not to click at all?

I did take a note so when we do rework the different Network Ratings / Threat Model Profiles, your input will be part of the discussions too. In my raw, brainstormy thoughts I would love Portmaster users to be able to create a custom amount of Profiles/Ratings, and customizing each name and even attaching a color and an icon to it which then is displayed throughout different elements. As mentioned super raw, but thanks for your ideas - already influenced my thoughts on the topic!

cheerio

 

[davegson]

Short update for all interested: the next features we are currently working on are an RPM package, submission to the Arch User Repository (AUR), an Improved PKGBUILD, a Compatibility Assistant & Simplifying All Portmaster Settings

#015 - Progress Update October

Portmaster is a free and open-source application that puts you back in charge over all your computer's network connections. Increase your privacy and security. Get peace of mind.

safing.io

Have a great weekend!

 

[ddave]

Short update for all interested: the next features we are currently working on are an RPM package, submission to the Arch User Repository (AUR), an Improved PKGBUILD, a Compatibility Assistant & Simplifying All Portmaster Settings

#015 - Progress Update October

Portmaster is a free and open-source application that puts you back in charge over all your computer's network connections. Increase your privacy and security. Get peace of mind.

safing.io

Have a great weekend!

If I were you, I'd release software as a flatpak instead of a RPM package.
Flatpak can be installed on almost every distro and you don't risk any issue about installing an rpm built for another distro.
For example a rpm built for Fedora not always is compatible with other rpm-based distros like openSUSE or Mageia.
IMHO the best way is release a flatpak package into the flathub repo.

@davegson Why did you decide to use cloudflare with malware filter as the default choice instead of quad9 which has a more powerful filter and better privacy policies?
Check this about dns malware filtering:
Thank you for your time.

 

[ddave]

Sorry, double post

 

[Zorro]

cheerio

Hi @davegson. Thank you, I was glad to help with ideas.
I saw that in the Network Monitor in Portmaster, blocked connections are marked not with a red dot (dash), but with a gray one, although they were previously marked with a red dot. If you expand the detailed information about a blocked process, then a red dot is lit there. Why, then, are blocked connections marked with a gray dash in the list instead of a red one? It is more convenient and clearer when blocked connections are marked in red.
And one more question. Will there be a light theme for the program? The dark theme, of course, is in trend, but it happens that the program looks good in the light theme.
And I also wanted to say that there are no program icons in Portmaster's network monitor. Instead, multi-colored circles with the first letter of the program name. I don’t know how on Windows, but in the Linux version there is no icon for any program in Portmaster's network monitor. Add program icons to the display in Portmaster's network monitor. At least the most common and popular ones.

 

[dhaavi]

best way is release a flatpak package

The Portmaster is a system service, which is a non-use case for flatpak. Additionally, we actually install three different components, while flatpak and snap can only do one. This is "as far as we researched" - happy if someone can prove us wrong.

Why did you decide to use cloudflare with malware filter as the default choice instead of quad9

We actually started out with Quad9. At some point we had technical difficulties with their service. I even was directly in contact with their Executive Director over this. We were unable to resolve the issue back then, so we'd opted to switch to Cloudflare in the meantime, but we haven't had time for a re-evaluation since then.

in the Linux version there is no icon for any program

The only reason we have icons on Windows, is that (disgusting) Electron has a single function call to the get them.
Additionally, program icons on Linux are a bit of mess. But they'll come - when it becomes important enough.

blocked connections are marked not with a red dot (dash), but with a gray one

I'll let @davegson dive into this one.

 

[ddave]

@dhaavi Thank you for the explaination

 

[davegson]

@davegson Why did you decide to use cloudflare with malware filter as the default choice instead of quad9 which has a more powerful filter and better privacy policies?

Some additional details on the Default DNS Provider topic:
How Safing Selects its Default DNS Providers

Thanks for your input - we will revisit this at some point.

I saw that in the Network Monitor in Portmaster, blocked connections are marked not with a red dot (dash), but with a gray one, although they were previously marked with a red dot. If you expand the detailed information about a blocked process, then a red dot is lit there. Why, then, are blocked connections marked with a gray dash in the list instead of a red one? It is more convenient and clearer when blocked connections are marked in red.

The difficulty is we have three states: blocked, allowed and failed. We could represent all three type colors within the bar, but that would add more colors to an already colorful UI and likely overwhelm the user.

We decided to only highlight the allowed connections. So even though the new solution is not as explicit in some cases, it much better gives an answer to - what we believe - are the most common questions a user has:

• How many connections is an app making?
• How many connections is that app allowed to make?

With the bar, you easily see the total amount of connections and a rough percentage of what is allowed. Before, we just had a grey dot which could mean anything between 1% blocked and 99% blocked.

I assume you probably trained yourself to check whether an app's connections are fully blocked by checking for the red dot. Now instead you can just check for a fully grey bar which implies all connections were blocked.

Will there be a light theme for the program?

I took note on the Light Theme, here is the GitHub issue about that:
Add a Light Theme · Issue #169 · safing/portmaster-ui

 

[Zorro]

I assume you probably trained yourself to check whether an app's connections are fully blocked by checking for the red dot. Now instead you can just check for a fully grey bar which implies all connections were blocked.

Good. And once again about zombie processes. After a reboot (just a reboot, and not just turning on the system), one zombie Portmaster process appears in the Linux system monitor (there were 4 such processes before, now there is one). If you just turn on the computer, then there are no zombie processes in the Linux system monitor.