CTO and Co-Founder of Safing here. We're super excited to introduce version 1.0 of our network monitor and privacy firewall - Portmaster!
On 1.1. this year, Portmaster was shared on HN and we hit front page [1]. With the help of our testers - many of you! - we were able to mature and develop Portmaster to hit this milestone.
We're on a mission to bring privacy back to the masses. Privacy has to be easy & accessible for everyone, while hackers and tinkerers should have the tools to customize everything to their needs. So while Portmaster 1.0 is a big milestone, this is just the start!
Hi. After a quick look, I found that the codebase spread across several repos. e.g. safing/portmaster, safing/portmaster-ui and safing/portmaster-packaging.
I didn't found any guides regarding building from source. How can I build the app/installer by myself?
The thing is that Portmaster consists of a lot of components[0]. I don't think we'll get around creating a docker image that does all the steps automatically - as far as possible. For Windows this will be infeasible for most, as you need a EV Code Signing Cert (300$+) for signing the kernel extension.
Most repos have a "./pack" script that correctly builds all assets.
You can then place them as "v0.0.0" (as _v0-0-0) in the updates directory. If you put Portmaster into dev mode (--devmode) it will load the v0.0.0 versions first. You might want to also disable automatic updates - or ignore the automatically downloaded versions.
Compiling for Windows without a cert works, but the OS will refuse to load the driver. You'd need to switch to a special Windows developer mode and sign it with a local certificate.
As I said, this is an area where we need to improve.
Just add a PowerShell script at install time to exempt the virtual network interfaces from Windows Firewall if WSL is detected and the user agrees! It's super simple and easy.
(1) Are you planning on having support for more than 5 devices at a future point?
5 devices is what we estimate 1 user has (avg max). If there is demand, we will definitely add a plan to support more devices (or users).
(2) Will you have any features to support parents protection of their children?
We already collect NSFW filter lists to be activated in the settings. Otherwise such features are tricky, as we need to start protecting against the person in front of the device, which is very hard. If you have suggestions, please share!
(3) How easy is it to integrate Safing into a home security stack, or an enterprise security stack?
Can you elaborate on what exactly you have in mind? We don't offer any integrations with other system out of the box yet. We have APIs though that you can use.
(4) Have you considered a one-time unlimited buy-in level in lieu of monthly?
We had a couple lifetime plans on our Kickstarter (years ago).
Right now, we don't have any plans for this.
You can pay in advance though - up to 4 years.
(5) Is this coming for iOS & MacOS?
Yes. Or, at least we will attempt. Going to be "fun" if Apple continues their locking down strategy. Maybe the EU will force them to open up until then. Expect at least 1-2 years for this to land though.
>(1) Are you planning on having support for more than 5 devices at a future point?
>5 devices is what we estimate 1 user has (avg max). If there is demand, we will definitely add a plan to support more devices (or users).
I'd estimate for a family plan (my case) we'd have 5 users. Given that I am on HN and part of the technocrati collective we have a ton of devices, particularly once your iOS & Mac OS coverage kicks in too.
>(2) Will you have any features to support parents protection of their children?
>We already collect NSFW filter lists to be activated in the settings. Otherwise such features are tricky, as we need to start protecting against the person in front of the device, which is very hard. If you have suggestions, please share!
I think it would be person in front of the device, but a NSFW filter list is the min requirement, sounds like you already meet that.
>(3) How easy is it to integrate Safing into a home security stack, or an enterprise security stack?
>Can you elaborate on what exactly you have in mind? We don't offer any integrations with other system out of the box yet. We have APIs though that you can use.
Aggregating logs across all devices protected. I don't know if syslog would be best, as there are options
Unified console for centralized control of all instances would be a stretch goal
Shopping logs is easy technically, but what to put in there? Just mirror the logs from the local instance or just limit it to connections? Which format, what data?
We recently switched to an in-mem SQLite database for querying connections. In the future, we'd like to send the rows to a central instance of the user, with a UI for querying everything at once.
Also, creating setting templates for apps and enforcing certain settings on many devices is something that seems useful.
> ... we need to start protecting against the person in front of the device
My first thought was, "Oh, God, please don't". I'm a parent, if I put that software on the computer it comes with rules not to touch it; if it's touched, they know I'll probably find out, ban them from it for a bit and return it to them locked down in a manner that when I return it to its original state, they won't touch it again. :o).
But then I thought of the other common reason this kind of capability is added to software -- are you preparing for the eventual future where you will have to do this, not to protect from a child removing the software, but to protect from another app surreptitiously removing Portmaster in order to bypass its protections?
Well, the first thing we might do is just a "Only an Administrator can make changes." setting where you only admin accounts are allowed to change settings. This one makes sense. Everything beyond that gets complicated and easy to circumvent fast.
(I also think the original question was more about blocking features and the likes.)
Protecting against other software is related, but also different. We have some decent protection here, albeit not against simply shutting Portmaster down.
Congrats on releasing 1.0! It looks very cool. A few questions about Portmaster Unlimited and SPN:
1. Does Safing own and operate all the exit nodes or can folks add their own nodes to it?
2. Are you self-hosting the exit nodes? If not, I'm curious what cloud providers you use.
3. Have you found egressing through a bunch of different geolocated IPs for the same request triggers DDoS/anti-scraping systems (like Cloudflare) more than usual?
2. Are you self-hosting the exit nodes? If not, I'm curious what cloud providers you use.
We rent servers. If you have the SPN, you can click on every server on the map and check where it is hosted. Currently mainly Hetzner, OVH, Katamera, HostHatch. We regularly try new providers, rent a couple servers and see how it goes.
3. Have you found egressing through a bunch of different geolocated IPs for the same request triggers DDoS/anti-scraping systems (like Cloudflare) more than usual?
The client "pins" destination domains/IPs to an exit for an hour (scoped per app) in order to get more stability here.
We had issues in the past.
I'd really like to see more technical discussion of Safing's SPN idea and implementation (https://safing.io/spn/). If I've understood it correctly, it seems to be in-line with the general trajectory of where Cloudflare is going with DNS privacy and Apple is going with its relay service.
It seems obvious that VPN services should be split into Relay and Exit services so that you don't have to necessarily trust a single company not to collect and sell all your internet traffic.
The SPN (Safing Privacy Network) aims to fill the area between VPNs and Tor. VPNs provide very little real privacy and Tor is (outside Tor Browser) very difficult to setup and configure.
Yes, you are correct, there are similarities there. Except of course that SPN is open source.
From a DNS privacy perspective, ODOH (Oblivious DNS over HTTPS) seems to achieve this at protocol level, with interoperability between providers. While there are tunnelled VPN (separate entry and exit), they always seem to be with the same provider. The iCloud private relay design appears to avoid this.
It would be interesting to see where SPN goes, and more on how it works, as you say.
Is this installed specifically on the endpoints or can it be installed on a network gateway (my edge router/gateway is a GNU/Linux machine) to provide analytics and security for the whole LAN?
The website seems to be very light on any technical details, doesn't give me a slightest idea how it operates. Looking at the comments here I suspect it's a endpoint firewall using a VPN (SPN) to tunnel all the traffic through a virtualized network interface and apply rules and analytics to it.
Any plans to support SPN installation on an edge router?
I have a VPN configured in my pfSense router so that I don't need to run it in each client. I guess this would make it easy to go over the 5 device limit though...
Regardless, I'll try out for the firewall and network monitoring.
Definitely one of the best firewalls for normal people on Linux. (g)UFW is nice and easy but very basic. Portmaster is a lot closer to the firewalls you may find for Windows that list applications and their statistics/configuration.
My only problem with it is that under heavy load the DoH server dies or gets stuck at 50% CPU for me. It also hangs my custom DoT/DoH solution for some reason but that's not a Portmaster problem.
I haven't had time to debug this issue yet, it mostly occurs when I'm busy with more important stuff so I usually just restart the service one or twice to get the process to behave.
I'll try to remember to collect the logs next time it happens so I can open a useful issue.
While it happens, simply go to the "Get Help" page in Portmaster and click on "Report Bug". It will collect some debug info and you can create an issue directly on GitHub from there.
I evaluated this a few months ago and absolutely loved it. It was more polished and easier to use than I expected. Since the website made a big deal about it being alpha I went in expecting a little pain.
The only major problem I hit was that everytime a snap would update it would appear as a new application and I had to reapply the rules. At the time there was a proposal for a change to fix this but it hadn't been implemented yet. I think once that lands, if it hasn't already, I'll be a loyal daily user.
We have recently added a system to support these use cases. I will see if we can add support for snap packages in the next weeks. Now tracking this internally at CC#2632.
> Please note that pretty much all the DNS leak detection tests by the VPN providers will be a false positive, as the only thing they check is if you are using their DNS servers. Rest assured that your DNS queries are well protected by the Portmaster and there is no need to be concerned." [1]
That's a confusing statement... does this mean they change your DNS server/provider by default, if you are using a VPN?
I think it’s because SPN uses a different IP/node per connection you make. DNS leak detection tests will ask your browser to resolve unique subdomains. If the DNS server that requests the lookup is different from your connecting IP to the website, they will say you have a DNS leak.
That would be true if would be resolving all DNS yourself. Nowadays everyone uses a recursive resolver. See my other answer for details about this case.
> "overrides any custom DNS server and enforces the ones the user set - or are set by default"
If Portmaster "enforces DNS servers with the ones that are set", after installing Portmaster and without the user changing anything, i'd say that's a decrease of privacy;
Your VPN provider can see your traffic in any case (even when you're not using their DNS server.) So, if Portmaster would change this to whatever your default is (Cloudflare, Google, etc.), people are then suddenly sharing their DNS requests with yet another 3th party.
There is a welcome screen that informs you of Portmaster handling and securing DNS queries with the option to change the provider.
But especially with a VPN the privacy is increased as it effectively becomes DNS-over-TLS/HTTPS-over-VPN.
The VPN still sees your destination IP addresses, so the privacy improvement is not increased by a lot, but still.
Ah right, that sounds good. So the user is aware of it.
> But especially with a VPN the privacy is increased as it effectively becomes DNS-over-TLS/HTTPS-over-VPN.
I disagree; VPN providers use an internal IP as DNS server and your connection to this DNS server goes through a secured VPN tunnel anyway.
So, by sharing your DNS requests with an external 3th party you gain nothing, and it's even a decrease of your privacy since now Google/Cloudflare/etc collects all these requests.
I found the option after completed the setup process.
The problem was that there isn't a "keep my DNS as is" option in the initial setup dialog (or not an obvious one), so we are forced to pick one from the four secure DNS.
FYI: It comes with opt-out Sentry crash reporting.
Edit: Shipping such a component enabled by default might be unexpected for applications of this nature and easily overlooked, which is why I mention it.
Little Snitch still costs money, it's just a different licensing model. It's not SaSS, so only a one-time fee to purchase for the tool.
The reason I'm open to paying a monthly fee for a SaSS offering is to keep getting new features and timely security updates, and support ensuring the recurring expense aspects of the service can stay alive. It's not entirely clear to me yet why PortMaster needs to be a SaSS, but it's not implausible.
I don't have any Windows or Linux desktop machines in regular use currently, looking forward to trying this out once the Mac version exists.
> The reason I'm open to paying a monthly fee for a SaSS offering…
To clarify, I'm absolutely not subscription shaming, and I understand that startups are effectively forced to use a SaaS model in order to attract investors.
I remember trying out Portmaster on Windows earlier this year. I think Portmaster was running a local DNS server to see what connections were being made. This interfered with my VPN, Mullvad, which was trying to use a remote DNS server.
Does Portmaster still require a local DNS server? I’ve been an avid user of Glasswire for years and it works flawlessly with my VPN. But i would love to switch to a open source alternative.
Portmaster still (and probably always will) require a local DNS server. Why? Because there is not always and will be less ways in the future to find out which Domain an IP address belongs to.
GlassWire will probably become quite blind as soon as TLS1.3 is rolled out and working as intended.
I will look into Mullvad compatibility again in the coming weeks. I think they also improved some stuff on their side.
User from 2 weeks ago: "Can confirm that Portmaster V.1.0.0 with Mullvard V2022.4 DNS set to 127.0.0.1 and the same setting on the netwerk controller both can life together." from https://github.com/safing/portmaster/issues/313
Was just reading their site and wondering about that myself. But I use NextDNS on my router to cover all the devices on the house and this seems individual client based.
Still, I can run it on my main machine.
The networking looks a great blend of onion routing and secured connections. Really clever way of constantly changing a client IP. As someone else noted it's like a client/outgoing version of Cloudfare's DDoS mitigated network design.
I guess having it combined can have portability/mobility benefits but other than that I doubt if the performance benefits of OpenSnitch (or) ability to secure entire network through PiHole is worth replacing.
You won't be wrong about that, but I like to think of PortMaster as more of an open-source Glasswire replacement that can also run on Linux. It is an impressive piece of software nevertheless.
Been looking for something like this for my windows computer. Little Snitch has been invaluable over the years but never found anything that covers it’s features for windows
If you are looking for a simple and light firewall (but still better than Windows Firewall), I recommend using Simplewall. It does not require a kernel extension and works with the API provided by Windows to do network filtering.
Simplewall is amazing- and is impressive in how it's able to stop a lot of Microsoft's attempts to get Telemetry out.
I've been looking at Portmaster for a while- it seems to be a valid option for those of us who dabble with the idea of totally halting the telemetry despite it being designed to be hard to stop
I installed this about six months ago on Ubuntu 18 and it hanged when I launched. Has this been ironed out? I might try again. If I'm having issues, I'll submit an issue on Github. Was it tested on Ubuntu 18? BTW: I have to use Ubuntu 18 since version 20 is not compatible with my machine (some BS about NVIDIA drivers crashing the OS)
Neat product! I have a couple of questions, mainly surrounding the SPN.
* How does SPN differ from a VPN, in detail? In other comments you said that it's similar to Tor, but what does that actually mean?
* Does traffic get routed through multiple nodes before being routed to the destination? If not, what sets it apart from a VPN - apart from being able to choose different servers for every program on your PC?
* Is SPN intended to provide privacy against nation-state actors where simply masking your exit node is not sufficient, similar to what Tor claims to do?
* Who operates exit nodes (and any intermediary nodes in the SPN network), are they owned or rented dedicated servers, and does it include residential connections - to provide unblocking for streaming services?
* Is traffic routed through other Portmaster users' internet connections?
Q: Does traffic get routed through multiple nodes before being routed to the destination? If not, what sets it apart from a VPN - apart from being able to choose different servers for every program on your PC?
Q: Is SPN intended to provide privacy against nation-state actors where simply masking your exit node is not sufficient, similar to what Tor claims to do?
"Nation-state actor" is a bit vague, assuming the most common meaning (IMO): a global passive adversary.
Quoting from the Tor design document: A global passive adversary is the most commonly assumed threat when analyzing theoretical anonymity designs. But like all practical low-latency systems, Tor does not protect against such a strong adversary.
Neither Tor, or the SPN (or anything else) will protect you from this. If they can really see everything, they will find you - sooner or later.
What we aim for is to stop exposing you to the data sources of the mass surveillance dragnet: Online tracking and the Internet-network itself.
Q: Who operates exit nodes (and any intermediary nodes in the SPN network), are they owned or rented dedicated servers, and does it include residential connections - to provide unblocking for streaming services?
Currently we rent servers, but will start adding our own dedicated ones once the scale is there. Nodes are also hosted by the community to diversify the node ownership in order to strengthen the privacy protection. Currently not using residential connections.
Q: Is traffic routed through other Portmaster users' internet connections?
Pretty interesting. Would love to see if users can choose their own servers as the underlying identity pool.
PS: SPN: Safing Privacy Network, https://github.com/safing/spn
I've been using for about 6 months and I think its a good product. I suddenly needed a new firewall as Comodo Firewall doesn't work well with VPN I have to use (it cannot block anything). This stepped up like a champ in preventing unwanted networking behavior from Microsoft and others. The Notify Task has some times been weird but 1.0 seems to work well for me. The fact that i can point at my local DNScrypt instance is nice. I need to explore SPN more and see if it would work better than VPN for me or not.
Q: What's the performance impact on this, especially on windows?
Basically negligible. Secure DNS might be a bit slower and you might feel some impact on low end devices.
Q: Also what would happen if I installed a Windows gateway, using routing and remote access services, and then installed portmaster on that?
You'd probably be cut off as incoming connections are blocked by default. Please place a config with exceptions before install or have (virtual) physical access when installing.
Q: Oh and can I use this in conjunction with wire guard? How does it play with other vpns.
First of all, thanks for this, I've been using it today. I'll e-mail later with a longer list of comments/suggestions.
First request would be a way to sync settings across multiple machines, or at least a way to import/export configs.
I did get hit with the issue about having incoming connections blocked by default - realized RDP connections were blocked even from the local subnet, and had to go plug a physical monitor in.
I was a bit surprised I couldn't figure out a clean way to allow inbound connections from the local network, but not from the internet. The docs at https://docs.safing.io/portmaster/settings seem to imply that I can set various settings to different tiers - 7 for trusted, for untrusted, 4 for hacked, but even when I have the developer view tuned on, I just see a binary choice.
You can disable the Seamless DNS Integration[0], and configure DNS manually [1]. DNS queries will still have to go through Portmaster. It does regular self-checks and will nag you until you fix it.
I found a blog post (https://safing.io/blog/2022/09/06/spn-vs-vpns/), but you have to go fairly far down the page (to the header "Cryptographic Identity Protection") to begin to get the gist of what it is.
"This was originally invented for Tor and is called Onion Routing. This way, every server in the chain only knows the previous and the next hop. No server ever knows who you are AND where you are going to."
"As VPNs are centralized, all their servers are operated by only one entity - the VPN provider itself. They can, therefore, monitor all you traffic and see what you are up to. This is why they tout their “No Logging” policies so loudly, because they know they can see everything."
"SPN on the other hand invites the community to join the network and strengthen it by adding diversity to the operators of the network. This way - in addition to the cryptographic protections - it is made almost impossible that anyone will ever be able to track you through the SPN."
It sounds like it is a next-gen VPN service which addresses the shortcomings of the current VPN services by splitting the service into relays and exits, each with limited knowledge and each potentially operated by different parties.
Came back to answer the question and you beat me to it! Thanks!
SPN (Safing Privacy Network) aims to fill the area between VPNs and Tor. VPNs provide very little real privacy and Tor is (outside Tor Browser) very difficult to setup and configure.
With the combination with the Portmaster (which is also firewall), we provide superior privacy to any VPN and offer a 1-click install for a software that you cannot mis-configure.
Yeah, the ISP I founded in 1995 (elite.net) was a PM2ER for both dialup and routing with a Pentium 90 as the shell & web server. We quickly hit the 30 line limit and went up to the PRI-based Portmaster models. Fun and exciting times, just bringing a rural community online for the first time ever.
Right. Other use case. PiHole is setup for network normally. This solution is personal desktop firewall. So it has more access to information, but is also easier breakable (like break thru) for "bad" software on your PC.
While getting my CS degree, I also had a job as the SA for a small local ISP. Two Linux boxes, a PortMaster, and a dozen or so 56K Hayes modems. RADIUS authentication between the PM and the Linux boxes. Can't recall how we did accounting. I probably wrote a Perl script that scraped the RADIUS logs.
The Linux distribution was probably Slackware. Kernel was probably early 2.x?
Fun times...
The folks I interview these days with their new fenagled CS degrees have no clue how anything works. They can write code, sure, barely, but they can't answer a single question about how _any_ of it works.
How do you get a CS degree and not know the difference between TCP and UDP?
How do you become a front-end developer who codes React apps but can't explain the DOM? Have no clue what a conditional GET is?
I just bought an AS5300 to play with a few months ago to see if I could get 56k modem connections to work over VOIP.
SIP channels -> voice card -> out a T1 (network) -> in another T1 (CPE) -> to DSP modem.
(Or dialout, DSP modem -> out a T1 (CPE) -> in a T1 (network) -> voice card -> SIP.
It just -doesn't quite- work. I can get 14400 no problem, but V.90 doesn't seem to entrain. Still troubleshooting (could be undesirable jitter buffer settings on my ISP side).
I just barely missed end-of-sales of ISDN BRI in my area which could have been useful for get to the PSTN at high quality.
We're on a mission to bring privacy back to the masses. Privacy has to be easy & accessible for everyone, while hackers and tinkerers should have the tools to customize everything to their needs. So while Portmaster 1.0 is a big milestone, this is just the start!
[1]: https://news.ycombinator.com/item?id=29761978 [2]: https://star-history.com/#safing/portmaster&Date