Portmaster Firewall

Discussion in 'other firewalls' started by dhaavi, May 27, 2021.

  1. dhaavi

    dhaavi Registered Member

    Joined:
    Apr 28, 2021
    Posts:
    8
    Location:
    Austria
    Portmaster is an open source application firewall for Windows and Linux. Its main goal is to bring online privacy to everyone: easy enough so no technical experience is required, but powerful enough that every pro will want to use it.

    Main Features (Tour with Pictures)

    • Portmaster focuses more on specialized settings than on rule lists, yet they exist and can do fun things
    • Most settings can also be configured per app
    • The internal DNS client secures all your DNS requests with DNS-over-TLS by default (You can easily change the used DNS Servers)
    • Block malicious/tracker domains automatically with the (hourly updated) filter lists
    • Enable Prompt-Mode for more granular control
    • Configure settings to different threat-models / environments
    • Then use these to quickly adapt to your changing environment, like when joining a cáfe's WiFi
    • Fully open source with great docs

    Quicklinks


    Looking For Alpha Testers

    Hey people, I'm the Lead Dev of the Portmaster and am excited to show you what I've been working on the last years.
    Someone posted about the Portmaster on this forum out of nowhere a while ago, which was great!
    We are now ready for more feedback and are looking for testers in order to find the last remaining nasty bugs in order to advance from alpha to beta.

    I'd really appreciate it if some of you left some feedback either here, on Github or via email.

    Thanks, see you around
     
  2. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    I just installed this on my Windows 10 machine. As a Windows desktop UI developer, I must say, it is hard to figure out how to use the program. It has fancy effects which are nice but the usability not so nice. Good luck.
     
  3. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    611
    Location:
    Wallachia
    I have installed it on an AMD AM1 real machine, with an older Windows 10 build, along Kaspersky Free.
    It looks interesting, it seems to be blocking stuff.
    I see no performance issues for the moment.

    I have some questions though.
    Having in mind the name of the software itself, how do you create rules for ports and protocols ?
    Is there a syntax for more granular control ?

    At a first glance, based on the look and feel of the menues, you can allow connections based on interactivity, if the global policy is set as such.
    Allow/Block all outbound alltogether or picking each connection is not quite comfortable.

    How do you allow all connections on TCP, to remote port 443, where local ports are 1024-65535, for example, for some specific app.
    At custom rules i see a simple field to insert something.

    What are the default ICMP rules and how can one modify/create new ?

    Why is the default Global Policy (Outbound related as inbound is blocked by default) on Allow ?

    All in all is not bad at all for an alpha.Obvious granular port/protocol control would help.
    The name is portmaster, isn t it ? :)

    What is SPN ?
    What "routing through" SPN means ?
     
    Last edited: May 28, 2021
  4. dhaavi

    dhaavi Registered Member

    Joined:
    Apr 28, 2021
    Posts:
    8
    Location:
    Austria
    Hey Alexandru, thanks for checking out the Portmaster and giving valuable feedback!

    I assume you are used to building and using programs that follow the Windows UI/UX guidelines.
    I must admit that we did not pay much attention to them when designing the Portmaster's UI.
    Can you elaborate a bit on what you mean in this context? If you could single out a couple issues you see that would extremely helpful.
     
  5. dhaavi

    dhaavi Registered Member

    Joined:
    Apr 28, 2021
    Posts:
    8
    Location:
    Austria
    Hey Sm3K3R, thanks for taking the time to checkout the Portmaster and your great feedback.

    In the rule lists you can create rules for IP addresses in various ways and then optionally also match by L4 protocol and destination port.
    Eg. to allow communciation with GitHub's IPs on port 443:
    • AS36459 6/443
    • or
    • AS36459 TCP/HTTPS
    Check out the Outgoing Rules in the settings handbook for more details.

    I'm not sure I understand what you mean here. What are you referring to with "picking each connection"?

    I explained the rules above, but local port matching is not available for outbound connections. The reason is that we see little value in matching source ports when the application is identified anyway.
    But if there is a use case for this I'd love to hear about it!

    In general, the concept is to not look at "Local IP/Port <-> Remote IP/Port" too much, but to lift everything a level higher and look at "Github Desktop Client <-> Github Network" instead.

    Currently we always allow ICMP, as we don't have support for matching it to a process yet.
    This will change sometime in the future.
    We will probably just run all ICMP "connections" through the "Unidentified Processes" App soon to make them visible and somewhat controllable for now.

    Because we expect lots of technically unsavvy users to install the Portmaster and they might not be able to figure out what is happening and will just uninstall it again.
    In the future we'd like provide a setup screen where the user chooses between a couple basic starter packs that suits them best.

    Thanks! Haha, yes! ;)

    The SPN is an alternative to VPNs and Tor that we are working on. Currently in Pre-Alpha. See here for more details.
     
  6. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    611
    Location:
    Wallachia
    Thank you for the feedback !

    The default "Allow" Outbound, as Global policy, is wrong in my view.
    The same type of policy is used by the Windows Firewall itself, by default.
    People installing this firewall should be invited to choose, for convenience, what type of policy will be used.Maybe the installer should ask the user what default policy should kick in for ins and outs.

    Then i see that at right click menu, in the taskbar, i am not able to choose/select the policy used on the fly, as well as i can with the zones.Jetico, Outpost, Tinywall or WFC have that.

    I have also observed that even if i choose Untrusted, as zone, after a computer restart it s set back to Trusted.It s a LAN alright, but i should be able to not trust my own LAN, and the settings to stay that way, if I want to :)

    Then let s get a little more practical.This may help in getting more people installing it and testing it.
    Took a look at the guide indicated also.Looks generic.
    I see that protocol numbers can be used, instead of clasical TCP/UDP or names for port numbers..

    Let s take for example an app, a browser : Firefox
    I want to make a custom rule for this app, to allow TCP, for remote ports 80 and 443, IP v4 or IP v6, any remote IP.A simple "TCP/443" doesnt work.
    What is the syntax ? Whats the usage of ;:,/. if any
    How do i block IP v6 altogether, if i want to, in the firewall?

    What other protocols can be controlled as i see ICMP is not yet tweakable ?

    I would also consider necessary a normal connections log, in plain text, like SimpleWall has for example.That one is easy to read.The "core" log one is quite hard to read and follow, to see what is going on under the hood..
     
    Last edited: May 28, 2021
  7. warrior99

    warrior99 Registered Member

    Joined:
    Nov 21, 2014
    Posts:
    101
    Most windows users will have problems with this, most windows users are not Linux users,
    10 out 10 for effort,, default "Allow" Outbound, as Global policy, not good..
    u also need a build in white list for apps . but over all its pretty nice...
    usability needs work...
     
  8. solitarios

    solitarios Registered Member

    Joined:
    Mar 28, 2016
    Posts:
    230
    I have the firewall running in the background but it is not minimized to the system tray. That is something to correct. Also instead of approving per domain it should be per application, making it easier to use. And with the option to block domains separately. The notification system is also something to improve. Also in the list of trusted, untrusted and dangerous in the settings is something to improve by simply allowing or disallowing. The filtering that the firewall does at dns and filter level works quite well.
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I didn't test it, but looks like an interesting tool. I do think that the GUI should probably be improved based on what I've seen. It looks good, but I wonder if it's handy, the more simple the better.

    Wait a minute, so it alerts you about every domain that you visit? That sounds a bit weird and annoying or is this related to the ad-blocker?
     
  10. solitarios

    solitarios Registered Member

    Joined:
    Mar 28, 2016
    Posts:
    230
    It would be nice if the developer, when he has some free time, could take a look at the forum.
     
  11. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    5,554
    Location:
    USA still the best. But barely.
    Agreed any specialized FW should have these. Also from what the developer said creating FW rules looks difficult. Creating FW rules should not be difficult.
     
  12. dhaavi

    dhaavi Registered Member

    Joined:
    Apr 28, 2021
    Posts:
    8
    Location:
    Austria
    Thanks for all the feedback and questions.
    I'll do my best to answer all of them here in one reply for convenience.

    Thanks for ping! I somehow did not get notified of every reply here.
    Also, "free time" is the key word here. ;)

    Glad I found the time now! Looking forward to answering all those juicy questions! :D

    ---

    Yes, this is exactly what we are planning to do.
    If anyone wants to follow up on this in the future, we are tracking this internally with CC#1968.

    This is an amazing idea that we haven't yet thought about. As we are a multi-platform firewall, we tend to only think about things that'll affect all platforms. While this is windows only, this is a really great interface that we should explore.
    Follow up with CC#1964.

    Thats a good point. I will bring this up with the team.
    Follow up with CC#1969.

    Here is how you can allow TCP to any IP on ports 80 and 443:
    + * TCP/80
    + * TCP/443

    (+ and - are used in the internal format, which is displayed as a button in the UI)

    The syntax is always: <Entity> <Protocol>/<Port>
    Where <Protocol> and <Port> are optional. <Protocol> may be "*" to match any and must be supplied when you specify <Port>.
    You can find the syntax here: https://docs.safing.io/portmaster/settings#filter/endpoints

    I want to note here that we are missing an important piece to let you confine applications like the Firefox example better. Currently, an allow rule will override all other features that would have been evaluated afterwards, effectively disabling the filter lists and other things.
    This is why we are working on a "continue" type rule that will continue with the evaluation of the connection and then in the end allow it, if nothing else wanted to block it.
    Follow up with CC#1970.

    We want to offer this as a separate toggle, but until then you can just create a rule to block ::/0
    Follow up with CC#1823.

    We will document this a lot better in the future, but I laid it out in this comment here for now:
    https://github.com/safing/portmaster/issues/325#issuecomment-852114137

    With v0.6.15, ICMP echo requests and replies can now be seen and controlled.

    When the Portmaster is a little more mature, we will start working on a history feature, that will give all sorts of ways to view the connection history of applications.

    ---

    We will have a Github Repo (sometime in the future) where will be building presets with the community to make life easier for users.

    Any pain points in particular you want to mention? This would help us a lot!

    ---

    The Core Service (a system service), the UI (App) and Tray (Notifier) are fully separate components that only behave like they belong together.
    If you close the UI Window, you are notified that you are only "minimizing" the Portmaster.

    Can you elaborate on your experience?

    Maybe the Architecture Overview will also give you some more insight into this:
    https://docs.safing.io/portmaster/architecture/overview

    Domains/IPs are approved per domain _and_ application.

    Can you elaborate on what you mean by "block domains separately"?

    Do you mean the notifications and prompts that are shown via the native Windows notifications?
    This is kind of a best effort solution that aims to be cross platform compatible as much as possible. It is by far not ideal.
    If it takes off, I hope we can invest in creating a custom solution for every OS.

    So you would prefer a simplified solution where you just have an on/off switch?

    By default, you are not prompted at all. You can switch all or single apps to prompt you.
    You are not prompted if a domain is already blocked by another mechanism, such as the ad/tracker blocker.

    In general, our approach is to be as much hands off as possible, as this will enable everyone to use it and not be overwhelmed by it.
    Instead, we want to do as much as we can automatically and get the community involved to create settings that people can subscribe to. (Also, see comment before.)

    Rules are meant to be as easy as possible. We don't expect people to use protocol and port numbers a lot - these are a bit more hidden.
    We hope that the Portmaster will provide enough smart controls so you won't be in the rules much.

    I explained the syntax above.

    ---

    Thanks all of you for your great feedback and amazing ideas! Keep 'em coming! ;)
     
  13. solitarios

    solitarios Registered Member

    Joined:
    Mar 28, 2016
    Posts:
    230
    It would be easier to allow an application to connect to the Internet or not than to click and click approving domain by domain. And there could be a section where it shows all the domains that an application connects to with the option to allow or block. I don't know if this is feasible to implement but this is what I can think of that would be best.

    These options are a bit confusing and should be simplified to allow or block.
    I attach an image of how a notification should look like according to my criteria, which are subjective and many may not like it.
    Untitled.jpg

    In some windows configurations like with OSArmor and Securefolders enabled, I minimized it and no longer had the firewall icon in the notification tray. I am not saying that this is a general problem that happens to all users of this firewall. But the point is that I no longer had the icon in the tray and I had to call it through the shortcut. Maybe you can merge, if at all due to the architecture of the firewall, the user interface and the service.
     
  14. dhaavi

    dhaavi Registered Member

    Joined:
    Apr 28, 2021
    Posts:
    8
    Location:
    Austria
    You can simply change the default action to "allow" or "block" if you want this behavior.

    You can already do this with connections that were active within the last 10 minutes in the Monitor view. You can click on a connection to view the details and there you have buttons to explicitly allow or block a connection in the future.
    We will additionally provide a historic view of connections in the future where you will also be able to do that.

    Thank you for your feedback, I will bring it up with the team.

    We don't know yet how much the notifications will be used and how we will evolve them in the future. Thanks for your insights, we will take into consideration in the next iteration.

    If not through the tray, how do you open other firewalls then?
    Merging all components is not possible due to the limitations of the OS. However, we try to make it feel like one component as much as possible to reduce confusion.

    Whenever you open the UI, it will also launch the tray icon if not already there, as we assume everyone will want that running.
     
  15. solitarios

    solitarios Registered Member

    Joined:
    Mar 28, 2016
    Posts:
    230
    It also occurs to me that to make the firewall even more complete you can add an ids/ips module like Snort. I don't know if this is possible but I wanted to ask for that functionality in this firewall under development even if it is not implemented later.

    https://www.snort.org/
     
  16. dhaavi

    dhaavi Registered Member

    Joined:
    Apr 28, 2021
    Posts:
    8
    Location:
    Austria
    While we have planned for such features, we can't tell yet in which direction this will evolve long term. Currently, we have planned:
    • Portscan detection
    • Check if connections are encrypted (and block unencrypted connections if wanted)
    • Verify encrypted connections (and block weak encryption and or invalid certificates)
    • Check the if the issuer root CA of the server certificate is known (and block the connection if not listed in an allow list)
    • Detect certain types of applications that invade user privacy and warn the user about it
     
  17. Morro

    Morro Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    355
    Location:
    Netherlands
    Last edited: Jun 4, 2021
  18. solitarios

    solitarios Registered Member

    Joined:
    Mar 28, 2016
    Posts:
    230
    Those are nice extra features but an ids/ips I think should be first on the list since we are talking about a firewall basically, although from what I see the current/initial focus of the project has more to do with user privacy issues and also online security issues as it can be to detect a MITM as you propose with those extra features.
     
  19. solitarios

    solitarios Registered Member

    Joined:
    Mar 28, 2016
    Posts:
    230
    Would also like the firewall to register with the Windows security center and disable the Windows firewall.
    It also has to fix some false positives.portmaster-start.exe
    Also, in my opinion, you must optimize the installation, it cannot be that a firewall occupies almost 1gb in the disk. Well, this is only a point of view.

    Untitled.jpg
     
    Last edited: Jun 11, 2021
  20. dhaavi

    dhaavi Registered Member

    Joined:
    Apr 28, 2021
    Posts:
    8
    Location:
    Austria
    My Co-Founder already posted there.

    As he and others have already mentioned there, it is a challenge for us to follow and respond to all activities over various platforms. For a guaranteed response please come by on GitHub or send us an email (find the mail on our homepage).

    But someone will definitely stick around here to answer some questions, we hope that will work out.

    Yes! Our main focus is definitely privacy, but we don't view ourselves primarly as a firewall, but more of a privacy suite that happens to also be a firewall.

    This is an interesting idea. I'm not sure about how this would improve things exactly, can you elaborate?

    With which software did you experience false positives?

    We will definitely optimize, but keep in mind that we also have quite big databases for the filter lists and alike.
     
  21. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    6,167
    @dhaavi

    can i ask you a question about rules?
    is there a "paranoid" mode to create many firewall rules for an application?
    the firewall look very cool
    thanks
     
  22. dhaavi

    dhaavi Registered Member

    Joined:
    Apr 28, 2021
    Posts:
    8
    Location:
    Austria
    I'm not sure I understand what you are wanting to do. Can you maybe explain it with an example?
     
  23. solitarios

    solitarios Registered Member

    Joined:
    Mar 28, 2016
    Posts:
    230
    It is sometimes a bit annoying to have the Windows firewall and Portmaster, for example many times I approve an app to connect to the internet and then I get the Windows firewall prompt asking for permission, besides having two firewalls activated is not ideal so I propose that Portmaster register in the Windows security center and disable the native Windows firewall, mostly to avoid annoyances like approving or denying twice the same program.

    Translated with www.DeepL.com/Translator (free version)

    You can see the false positives with Process Explorer to replicate the problem and fix it

    Untitled.jpg .
     
  24. Morro

    Morro Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    355
    Location:
    Netherlands
    The people on MT are aware about how difficult it is for you and your team to respond to all activities over various platforms. But I will let them know about contacting you and your team on GitHub and through email. :)
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.