Portmaster and SPN by Safing.io

Since we now provide Portmaster in our repos, I’d like to open this thread for any discussion related to this software.

The developers work very close to my place here in Austria and I even met their CEO in person last week.
I think this is a great opportunity to give them our direct feedback about possible problems and feature requests from our side and get some first hand responses back.

My personal experience running Portmaster and SPN sofar is really positive with just a few issues, where most of them I was able to resolve.
Portmaster works great as an extremely granular firewall where you can allow or block specific connections for any app, down to specific URL’s an application might contact during different actions.

image798×565 48.3 KB

image763×492 36.2 KB

image467×809 37.2 KB

image1989×1358 244 KB

Then on top of that there is SPN which is a paid upgrade (currently 9.9€/month or 99€/year)
My own general misunderstandings at first was that SPN unlike a VPN is NOT intended primarily for stuff like faking your geo-location to be able to stream video content not intended for your country by the provider. It should however enable you to access any content outside a restriction imposed on you by for example your ISP or local policy.
I think that their homepage and advertisement really gives a bit of a wrong impression there and I am about to discuss this with them, actually…
Their explicit goal anyway is to give you access to everything “legal in most countries”, not to enable activity illegal in most countries.

SPN gives you multiple identities and locations in parallel at the same time and routes your connections through individual tunnels.

Here you can see that currently, two of my targets in firefox think I am in Germany, while the third will locate me in France. In reality I am still in Vienna.

image454×805 44 KB

I think that their technology is a BRILLIANT tool to protect your privacy.
If you want to know more about the technical details, you should read their whitepaper - really an interesting read, even if you are not a complete nerd

I can say that their team went to great lengths to guarantee anonymity without even the need for a kill-switch or a no-log-policy. You could call it a DKYC policy where they have absolutely no idea who their customers are.

image631×720 33.5 KB

I hope we can use this thread for more insight into what the benefits and problems and potentially rough edges of this software are. I am looking forward to this discussion and will also try to invite their devs and team here.

Cheers
Bernhard

https://forum.manjaro.org/t/favorite-lesser-known-apps/5481/290

Edit:

This app would help @alven to solve the old issue:

Following a support request post this morning I became interested and installed portmaster.

It seems indeed a useful security addition, however, I also noted that a permanent ram usage of over 700MB will make it unsuitable for many older machines.

It’s another VPN service that can see all my traffic.

Also, it’s not working for me. The service starts but when the app is started, it wants to connect to Portmaster (why does a firewall need to access a remote service?), I guess it blocks itself from accessing.

All Electron apps consume a lot of RAM. It’s like having another browser open in the background all the time.

But at the end of the day, all users have a choice, so I don’t see a problem here.

very interesting indeed!

is it possible to have it installed and configured, but only use it, when you need it.

Yes that should work since you can quit the service via the taskbar icon and restart from the app menu when needed.

Portmaster isn’t an electron app.

Apparently you didn’t read the original post. Portmaster does not collect any private data - there is no way it could do that. Also it’s not connecting to a remote service. It’s a systemd.service

In the GUI you can swith on/off SPN with a slider.
Portmaster is opened and closed like any other application, or you can also define rules for which connections it should monitor or not

Or you can do all of that in the tray

Seems to be written in Go:

And UI is Electron GitHub - safing/portmaster-ui: User Interfaces for Portmaster

Base Technology

• Portmaster integrates into network stack using nfqueue on Linux and a kernel driver (WFP) on Windows.
• Packets are intercepted at the raw packet level - every packet is seen and can be stopped.
• Ownership of connections are (currently) found via /proc on Linux and the IP Helper API (iphlpapi.dll) on Windows.
• Most settings can be defined per app, which can be matched in different ways.
• Support for special processes with weird or concealed paths/actors:
  • Snap, AppImage and Script support on Linux
  • Windows Store apps and svchost.exe system services support on Windows
• Everything is 100% local on your device. (except the SPN, naturally)
  • Updates are fully signed and downloaded automatically.
  • Intelligence data (block lists, geoip) is downloaded and applied automatically.
• The Portmaster Core Service runs as a system service, the UI elements (App, Notifier) run in user context.
• The main UI still uses electron as a wrapper - but this will change in the future. You can also open the UI in the browser

“Force Block Incoming Connections” is enabled by default in the Global Settings for all apps to block all from LAN and internet.
But this option is in the highest priority and ignores or doesn’t respect your custom whitelists for any apps you want to set.

A tip:
How to switch from “Force Block Incoming Connections” to custom “Incoming Rules” in Global Settings:

1. Disable “Force Block Incoming Connections”

2. Change “Simple Interface” to “Advanced Interface” for GUI to show a hidden function “Incoming Rules”
   

3. Add “Allow localhost” and "Block *" in Incoming Rules, the behavior is like “Force Block Incoming Connections”
   

Done, global Incoming Rules respect your custom whitelists for any apps.