A firewall with a configuration interface running on Electron, just like the horrid free AV solutions for Windows back in the day :) Can't be too critical of that because the developers have already expressed their dislike of Electron on the website, and it makes sense that they won't drop everything for a huge UI rewrite.
This entire thing seems incredibly polished, I'm surprised I haven't heard of this before. For every question and potential limitation for my use cases there seems to be an explanation on their FAQ. I'm definitely going to take this for a spin! Too bad there's no AUR package ready to go yet because I don't really want the burden of updating manually, but all in good time I suppose.
Here's my take on Electron and anything else resource-intensive: if your UI is either short-lived (like a configuration window) or the main thing you're using (like an IDE), I don't really care how much RAM or anything else it uses.
A firewall configuration windows falls in the first category - you only open it very occasionally and for not very long, so it doesn't really matter how heavy it is. Where Electron (or similar) is really bad are things like Discord, Slack, Spotify, Teams, etc. where you'll likely be running many of them all the time, while you're doing other things that need those resources.
For several years now, I've been an advocate for either "uninstalling" the default route on (most) hosts and/or switching to a default deny policy for outbound traffic, just like we all did for inbound traffic a long time ago.
I'll readily admit that the amount of work required in order to do this is HUGE and, of course, it isn't gonna happen overnight. Every time we have another one of these massive vulnerabilities that affects damn near everything and everybody, though, I think we get just a little bit closer.
Once some large company makes the decision to do it, then actually does it, then (at some point down the road) shares publicly how it totally saved their ass when $thing happened, maybe some CISOs will start to take notice and (eventually) follow suit.
As with IPv6, I remain hopeful that we'll get there at some point in my lifetime! Unfortunately, though, I'm sure it'll take a lot more "bad shit" happening first.
I'm assuming you're using a stateful packet filter when you're talking about this? Otherwise you'll break all kinds of stuff.
CISO's care about security but you'll find that most developers/users do not at all and its like pulling teeth to get anything done. It'd likely be better to get all developers basic security training and automated code vulnerability scanning tools.
That's what I did at my last role, and it was made infinitely easier because I was the first engineer and it was greenfield development.
Our backend used a combination of network policies to only allow outbound TCP connections to a handful of forward proxies, each of which was one simple, easy to verify nginx server that forwarded to https://saas.service.example.com.
And on days when we learned of new supply chain vulnerabilities, we didn't have a security incident.
Ooooo nice, I've been using Little Snitch for MacOS lately--it's been shocking how many things phone home, especially development tools. I installed Redhat's YAML extension for VS Code, and it was immediately trying to send a message home.
> I installed Redhat's YAML extension for VS Code, and it was immediately trying to send a message home.
this frustrates me so much! i have not touched vs code, which is otherwise a decent editor, for a while because of all these shenanigans with the extensions.
Can't recommend Little Snitch enough, been using it for 7-8 years now. Extremely useful to prevent any unencrypted connections on wifi you don't trust (which I also used to prevent unencrypted connections when I'm in countries with internet censorship) and for peace-of-mind that some random application won't try to exfil data.
Automatic switching between profiles based on connection type (wifi, different VPN servers, etc.) is cherry on the top.
Running LS is both amazing for what it does, and depressing for what you see.
As for the VSCode extension, do you have telemetry disabled in Code globally? The Red Hat extensions are supposed to respect that preference for any telemetry they send. If you're seeing otherwise, please file a bug if you can.
Damn, looks like a nice free competitor to Glasswire which I'm currently using (which also has an extremely usable free option).
Like Glasswire though I'm guessing this doesn't alert on common traffic like DNS lookups via the host, which would still allow malicious software to get traffic in and out unseen.
The Portmaster actually handles DNS itself and will show you DNS queries in the UI. (Currently, only showing DNS queries that were _not_ served from cache.)
Also, Portmaster actually has it's own kernel module in Windows and sees more than Glasswire.
Portmaster sends queries over DNS-over-TLS to protect them and has (very) basic protection against data tunnels.
Yes, this is rather unfortunate. There are also some more "portmaster" things around, which were partly mentioned in an older HN thread.
We thought about a rebrand, but it's just way to expensive right now, as we are still bootstrapping.
I also don't think that there is an immediate issue, as both application domains and presence on operating systems don't interfere.
If you think otherwise, please share your thoughts!
This looks interesting, though it's not entirely clear how it works. The docs go relatively in depth into the code structure, but it doesn't do much else.
Looks like they implemented their own windows kernel driver [1] [2] for intercepting packets. And since I see BOTH domain names and applications that won't trust custom SSL CA in their website, I guess they get the domain name from the ssl handshake packets (sni) [3] which is in plaintext
I prefer this to SimpleWall, but it's kind-of heavy (both the UI and the service) resource-wise - so I don't run it always, just after big Windows Updates to make sure they don't add new "phone home" "functionality". OSS is also a super nice plus.
We are trying to improve on this. Would be great if you could create a Github issue so we can have a look. You can also easily do this from within the UI.
Another day, another name collision; portmaster is also the name of a FreeBSD ports management utility that's been pretty widely-used for well over a decade now
> Country does not match with the country prefix for your phone number
Fishy.
And if you check country prefix with the list of country prefixes anyway... Why do you even bother with country AND prefix?
> The Portmaster actually handles DNS itself and will show you DNS queries in the UI
Yikes.
What about the DNS resolvers configured in the system? Do you hijack/overwrite them? [0]
I use my own Unbound locally, how Portmaster would handle queries for NSs in the Unbound config which are unknown to the world - leak them?
How about QNAME minimization?
Where exactly Portmaster would send the DNS queries?
Actual kernel module on Windows so it really can do anything it wants and wouldn't be catched by the machine itself?
Yikes.
Overall, this is the product which could be useful for many users, but for me it's a hard no.
The "SPN" idea is interesting, but also raises the questions about who, where and how would control exit nodes.
I was pleasantly surprised that this is a Windows first application! I was scrolling through the page thinking "yet another lovely UI for a good problem to solve but surely this will be OSX" and then bam, Windows and Linux now, Mac coming later.
Ever since moving away from Mac about 8 years ago I've missed Little Snitch. I'll give this a try I think.
Pity about the name, those of us who were around when the internet took off out of it's original walled garden will likely remember a "portmaster" as one of the first affordable SLIP routers for those trying to create what were later called "ISPs"
Asking here as it is tangentially related, but is anyone aware of a way to route traffic on a specific port through a VPN while leaving other ports open? I have spent days looking for a solution to this and haven’t found any concrete answers. Hardware, software, anything.
Yes, that is possible but generally not natively in most applications and end-user operating systems.
Without native support, traffic control like that requires something like pf or iptables to managed the traffic you want to treat differently. This means something like an outbound firewall that does a different NAT or different route or different redirect (generally packet rewriting). If you want to scope it to more than just a port or IP (or a range of them) and be specific to an application, you'd be needing some type of socket filter which works at the socket level in the OS. Applications generally use sockets to interface with the network, and those sockets are provided by the OS and thus it can control the aspects of those.
Without those, you can also have a dedicated interface for the 'special' traffic.
Some applications allow you to specify an outgoing interface, for those you can have them use a specific interface and have a firewall rule that redirects that port. Others don't, and you'd have to encapsulate them in a namespace (i.e. a docker container) or VM which then 'creates' that dedicated interface your application would have to use. Then you can pipe that interface through your packet filter of choice and achieve the same thing.
Alternatively you can pipe all of the traffic of such a 'packaged' setup through your VPN. Since you'll only be running your application inside that configuration only it would be affected.
Today, when I find myself in a scenario where I need some of this, I either have created a situation that is problematic to begin with (i.e. trying something silly that shouldn't be done in the first place) or I'm trying to simulate something like a L2 protocol over an L3 VPN for remote debugging. I've found that everything in the first category generally is a waste of time to work with anyway.
I did something similar with docker. I ran both OpenVPN client and SSH client inside a docker, so only the SSH client would be affected by the OpenVPN controlling the container network. And by telling the SSH client to port forward, and by exposing the same port forward from the docker to the local computer, I could use it to travel through the VPN while all other ports on the local computer were unaffected.
Seeing it I remember a firewall management gui that was one of the first easy and simple “firestarter”, sadly it was discontinued time ago, before Ubuntu release their “ufw”, which was very similar.
Seems promising this tool.
Thank you so much for both being open about your monetization strategy (which seems reasonable to me) and having a well written, easily found privacy policy!
It's too bad that Black Ice firewall doesn't work on modern windows OS. It was lightyears ahead of Portmaster's design and functionality even back in the late 90s (at least until IBM bought and ruined it). It seems like it's impossible for software to be self contained these days.
right, I used to have a firewall that could whitelist apps in the 90s on Windows (can't remember the name)... iptables can't even do that as far as I know... but there is https://github.com/evilsocket/opensnitch that I still need to try (I no longer use Windows).
We have not investigated too much into this topic - but from what we know it would probably be easier to implement a bandwidth cap than monitoring the bandwidth.
And from a priority perspective it is likely to take a while until we get to these topics, our focus lays elsewhere at the moment.
Looks great. One issue to note is that it's not supported in MacOS. I wonder if this is due to the MacOS API sandboxing changes that occurred recently?
Correct. We were already investigating how to do it when Apple announced that they will ditch their kernel extensions. We then put it on hold to wait for the changes. Been on hold since, because of resource focus to get it out already. ;)
[+] [-] jeroenhd|4 years ago|reply
This entire thing seems incredibly polished, I'm surprised I haven't heard of this before. For every question and potential limitation for my use cases there seems to be an explanation on their FAQ. I'm definitely going to take this for a spin! Too bad there's no AUR package ready to go yet because I don't really want the burden of updating manually, but all in good time I suppose.
[+] [-] dhaavi|4 years ago|reply
Yes, we dislike Electron and tried another route before switching to it. We have our hopes up for the new Microsoft Edge WebView2, which I hope to evaluate soon: https://developer.microsoft.com/en-us/microsoft-edge/webview...
The Portmaster updates itself automatically, and you can use the PKGBUILD for installation until we start publishing it to the AUR near-term.
[+] [-] franga2000|4 years ago|reply
A firewall configuration windows falls in the first category - you only open it very occasionally and for not very long, so it doesn't really matter how heavy it is. Where Electron (or similar) is really bad are things like Discord, Slack, Spotify, Teams, etc. where you'll likely be running many of them all the time, while you're doing other things that need those resources.
[+] [-] Rebelgecko|4 years ago|reply
[+] [-] davidovitch|4 years ago|reply
[+] [-] jlgaddis|4 years ago|reply
I'll readily admit that the amount of work required in order to do this is HUGE and, of course, it isn't gonna happen overnight. Every time we have another one of these massive vulnerabilities that affects damn near everything and everybody, though, I think we get just a little bit closer.
Once some large company makes the decision to do it, then actually does it, then (at some point down the road) shares publicly how it totally saved their ass when $thing happened, maybe some CISOs will start to take notice and (eventually) follow suit.
As with IPv6, I remain hopeful that we'll get there at some point in my lifetime! Unfortunately, though, I'm sure it'll take a lot more "bad shit" happening first.
[+] [-] bifrost|4 years ago|reply
CISO's care about security but you'll find that most developers/users do not at all and its like pulling teeth to get anything done. It'd likely be better to get all developers basic security training and automated code vulnerability scanning tools.
[+] [-] AaronFriel|4 years ago|reply
Our backend used a combination of network policies to only allow outbound TCP connections to a handful of forward proxies, each of which was one simple, easy to verify nginx server that forwarded to https://saas.service.example.com.
And on days when we learned of new supply chain vulnerabilities, we didn't have a security incident.
[+] [-] travbrack|4 years ago|reply
[+] [-] munro|4 years ago|reply
[+] [-] nmstoker|4 years ago|reply
https://github.com/evilsocket/opensnitch
I don't use it all the time but it is occasionally useful (or just satisfies my curiosity about what's phoning home)
[+] [-] webmobdev|4 years ago|reply
[+] [-] blondin|4 years ago|reply
this frustrates me so much! i have not touched vs code, which is otherwise a decent editor, for a while because of all these shenanigans with the extensions.
[+] [-] aemreunal|4 years ago|reply
Automatic switching between profiles based on connection type (wifi, different VPN servers, etc.) is cherry on the top.
[+] [-] mroche|4 years ago|reply
As for the VSCode extension, do you have telemetry disabled in Code globally? The Red Hat extensions are supposed to respect that preference for any telemetry they send. If you're seeing otherwise, please file a bug if you can.
[+] [-] pmontra|4 years ago|reply
https://www.tecmint.com/iftop-linux-network-bandwidth-monito...
Of course it has no firewall.
[+] [-] 41b696ef1113|4 years ago|reply
[+] [-] marcodiego|4 years ago|reply
[+] [-] GSGBen|4 years ago|reply
Like Glasswire though I'm guessing this doesn't alert on common traffic like DNS lookups via the host, which would still allow malicious software to get traffic in and out unseen.
[+] [-] dhaavi|4 years ago|reply
The Portmaster actually handles DNS itself and will show you DNS queries in the UI. (Currently, only showing DNS queries that were _not_ served from cache.)
Also, Portmaster actually has it's own kernel module in Windows and sees more than Glasswire.
Portmaster sends queries over DNS-over-TLS to protect them and has (very) basic protection against data tunnels.
[+] [-] bifrost|4 years ago|reply
https://cgit.freebsd.org/ports/tree/ports-mgmt/portmaster
[+] [-] dhaavi|4 years ago|reply
Yes, this is rather unfortunate. There are also some more "portmaster" things around, which were partly mentioned in an older HN thread.
We thought about a rebrand, but it's just way to expensive right now, as we are still bootstrapping.
I also don't think that there is an immediate issue, as both application domains and presence on operating systems don't interfere. If you think otherwise, please share your thoughts!
[+] [-] mkdirp|4 years ago|reply
[+] [-] yonixw|4 years ago|reply
[1] https://github.com/safing/portmaster/blob/22507e879be95c7b0f...
[2] https://github.com/safing/portmaster-windows-kext
[3] https://en.wikipedia.org/wiki/Server_Name_Indication
[+] [-] dhaavi|4 years ago|reply
Can you explain what you expected? Maybe you can find a good exmaple. We really want to improve on this.
[+] [-] gigel82|4 years ago|reply
[+] [-] dhaavi|4 years ago|reply
We are trying to improve on this. Would be great if you could create a Github issue so we can have a look. You can also easily do this from within the UI.
[+] [-] DominoTree|4 years ago|reply
[+] [-] justsomehnguy|4 years ago|reply
> Country does not match with the country prefix for your phone number
Fishy.
And if you check country prefix with the list of country prefixes anyway... Why do you even bother with country AND prefix?
> The Portmaster actually handles DNS itself and will show you DNS queries in the UI
Yikes. What about the DNS resolvers configured in the system? Do you hijack/overwrite them? [0] I use my own Unbound locally, how Portmaster would handle queries for NSs in the Unbound config which are unknown to the world - leak them? How about QNAME minimization? Where exactly Portmaster would send the DNS queries?
Actual kernel module on Windows so it really can do anything it wants and wouldn't be catched by the machine itself?
Yikes.
Overall, this is the product which could be useful for many users, but for me it's a hard no.
The "SPN" idea is interesting, but also raises the questions about who, where and how would control exit nodes.
[0] https://docs.safing.io/portmaster/settings#dns/nameservers says they are forwarding to Cloudflare by default. /Great/
[+] [-] simonjgreen|4 years ago|reply
Ever since moving away from Mac about 8 years ago I've missed Little Snitch. I'll give this a try I think.
[+] [-] Taniwha|4 years ago|reply
[+] [-] symlinkk|4 years ago|reply
[+] [-] oneplane|4 years ago|reply
Without native support, traffic control like that requires something like pf or iptables to managed the traffic you want to treat differently. This means something like an outbound firewall that does a different NAT or different route or different redirect (generally packet rewriting). If you want to scope it to more than just a port or IP (or a range of them) and be specific to an application, you'd be needing some type of socket filter which works at the socket level in the OS. Applications generally use sockets to interface with the network, and those sockets are provided by the OS and thus it can control the aspects of those.
Without those, you can also have a dedicated interface for the 'special' traffic. Some applications allow you to specify an outgoing interface, for those you can have them use a specific interface and have a firewall rule that redirects that port. Others don't, and you'd have to encapsulate them in a namespace (i.e. a docker container) or VM which then 'creates' that dedicated interface your application would have to use. Then you can pipe that interface through your packet filter of choice and achieve the same thing.
Alternatively you can pipe all of the traffic of such a 'packaged' setup through your VPN. Since you'll only be running your application inside that configuration only it would be affected.
Today, when I find myself in a scenario where I need some of this, I either have created a situation that is problematic to begin with (i.e. trying something silly that shouldn't be done in the first place) or I'm trying to simulate something like a L2 protocol over an L3 VPN for remote debugging. I've found that everything in the first category generally is a waste of time to work with anyway.
[+] [-] yonixw|4 years ago|reply
Here is my code for reference: https://github.com/yonixw/ssh-vpn-docker
[+] [-] rfraile|4 years ago|reply
[+] [-] vorpalhex|4 years ago|reply
[+] [-] dhaavi|4 years ago|reply
[+] [-] superkuh|4 years ago|reply
[+] [-] formerly_proven|4 years ago|reply
[+] [-] hffft|4 years ago|reply
[+] [-] kup0|4 years ago|reply
[+] [-] davegson|4 years ago|reply
We have not investigated too much into this topic - but from what we know it would probably be easier to implement a bandwidth cap than monitoring the bandwidth.
And from a priority perspective it is likely to take a while until we get to these topics, our focus lays elsewhere at the moment.
[0] https://github.com/safing/portmaster/issues/382
[+] [-] johnchristopher|4 years ago|reply
[+] [-] dhaavi|4 years ago|reply
[+] [-] evolve2k|4 years ago|reply
So folks what are the good MacOS alternatives currently?
[+] [-] vladvasiliu|4 years ago|reply
I've been a happy user for many years, now.
It's not free, though.
[+] [-] throwoutway|4 years ago|reply
[+] [-] cmeacham98|4 years ago|reply
[+] [-] dhaavi|4 years ago|reply
[+] [-] NmAmDa|4 years ago|reply