Portmaster and SPN by Safing.io

Since we now provide Portmaster in our repos, I’d like to open this thread for any discussion related to this software.

The developers work very close to my place here in Austria and I even met their CEO in person last week.
I think this is a great opportunity to give them our direct feedback about possible problems and feature requests from our side and get some first hand responses back.

My personal experience running Portmaster and SPN sofar is really positive with just a few issues, where most of them I was able to resolve.
Portmaster works great as an extremely granular firewall where you can allow or block specific connections for any app, down to specific URL’s an application might contact during different actions.

image798×565 48.3 KB

image763×492 36.2 KB

image467×809 37.2 KB

image1989×1358 244 KB

Then on top of that there is SPN which is a paid upgrade (currently 9.9€/month or 99€/year)
My own general misunderstandings at first was that SPN unlike a VPN is NOT intended primarily for stuff like faking your geo-location to be able to stream video content not intended for your country by the provider. It should however enable you to access any content outside a restriction imposed on you by for example your ISP or local policy.
I think that their homepage and advertisement really gives a bit of a wrong impression there and I am about to discuss this with them, actually…
Their explicit goal anyway is to give you access to everything “legal in most countries”, not to enable activity illegal in most countries.

SPN gives you multiple identities and locations in parallel at the same time and routes your connections through individual tunnels.

Here you can see that currently, two of my targets in firefox think I am in Germany, while the third will locate me in France. In reality I am still in Vienna.

image454×805 44 KB

I think that their technology is a BRILLIANT tool to protect your privacy.
If you want to know more about the technical details, you should read their whitepaper - really an interesting read, even if you are not a complete nerd

I can say that their team went to great lengths to guarantee anonymity without even the need for a kill-switch or a no-log-policy. You could call it a DKYC policy where they have absolutely no idea who their customers are.

image631×720 33.5 KB

I hope we can use this thread for more insight into what the benefits and problems and potentially rough edges of this software are. I am looking forward to this discussion and will also try to invite their devs and team here.

Cheers
Bernhard

https://forum.manjaro.org/t/favorite-lesser-known-apps/5481/290

Edit:

This app would help @alven to solve the old issue:

Following a support request post this morning I became interested and installed portmaster.

It seems indeed a useful security addition, however, I also noted that a permanent ram usage of over 700MB will make it unsuitable for many older machines.

It’s another VPN service that can see all my traffic.

Also, it’s not working for me. The service starts but when the app is started, it wants to connect to Portmaster (why does a firewall need to access a remote service?), I guess it blocks itself from accessing.

very interesting indeed!

is it possible to have it installed and configured, but only use it, when you need it.

Yes that should work since you can quit the service via the taskbar icon and restart from the app menu when needed.

Portmaster isn’t an electron app.

Apparently you didn’t read the original post. Portmaster does not collect any private data - there is no way it could do that. Also it’s not connecting to a remote service. It’s a systemd.service

In the GUI you can swith on/off SPN with a slider.
Portmaster is opened and closed like any other application, or you can also define rules for which connections it should monitor or not

Or you can do all of that in the tray

Seems to be written in Go:

Base Technology

• Portmaster integrates into network stack using nfqueue on Linux and a kernel driver (WFP) on Windows.
• Packets are intercepted at the raw packet level - every packet is seen and can be stopped.
• Ownership of connections are (currently) found via /proc on Linux and the IP Helper API (iphlpapi.dll) on Windows.
• Most settings can be defined per app, which can be matched in different ways.
• Support for special processes with weird or concealed paths/actors:
  • Snap, AppImage and Script support on Linux
  • Windows Store apps and svchost.exe system services support on Windows
• Everything is 100% local on your device. (except the SPN, naturally)
  • Updates are fully signed and downloaded automatically.
  • Intelligence data (block lists, geoip) is downloaded and applied automatically.
• The Portmaster Core Service runs as a system service, the UI elements (App, Notifier) run in user context.
• The main UI still uses electron as a wrapper - but this will change in the future. You can also open the UI in the browser

“Force Block Incoming Connections” is enabled by default in the Global Settings for all apps to block all from LAN and internet.
But this option is in the highest priority and ignores or doesn’t respect your custom whitelists for any apps you want to set.

A tip:
How to switch from “Force Block Incoming Connections” to custom “Incoming Rules” in Global Settings:

1. Disable “Force Block Incoming Connections”

2. Change “Simple Interface” to “Advanced Interface” for GUI to show a hidden function “Incoming Rules”
   

3. Add “Allow localhost” and "Block *" in Incoming Rules, the behavior is like “Force Block Incoming Connections”
   

Done, global Incoming Rules respect your custom whitelists for any apps.

I really like the SPN, it must really confuse anyone watching my cat pictures whiz around the internet.
Some of the exit nodes are not the best fit geographically but that’s a minor gripe.

Setting the SPN to balanced my browser is connected to local exit servers and other things like nextcloud and steam take a more leisurely route.

image1163×884 66 KB

I use it since I heard about it in another thread a few months back, and I think it is a great tool too. I don’t use the paid features which are a good part of the application, still it provides me with a powerful tool to manage network related stuff. I used Eset on Windows for almost a decade and I like to be able to get some similar features like controlling individual application permission/settings. The global lists are great too!

Good to have it in Manjaro.

I also think it’s great (I only use the free stuff)

It’s actually so great I sometimes forget about it.
The other day when I finally installed manjaro ARM I wanted to connect my rpi to my standard backup network folder like I do on all my other scb:s. Could not for MY LIFE figure out why the server didn’t work on the new software wile ALL other scb:s work…
Then… kathcing “Oh yeah, portmaster…”
Click “smbd”, click “…”, click “allow ip”… Done…

It’s just fkn great, even plays well with my pihole with the correct settings.
Grade: 10/10

Anyone knows how to copy are import my setting to a second PC?

I try to rsync ~/config/Portmaster to another Computer, but that didn’t do the trick

I guess there would be system wild configuration files/folder somewhere else then.

//EDIT: maybe like /opt/safing/portmaster/ ?

thanks
/opt/safing/portmaster/config.json

anyone knows how to set the rules for Force Block Incoming Connections and syncthing ?

The rule localhost in incoming is active, but it still gets block.

Also, allowing syncthing IP in the filter didn’t help.

And the * in incoming allow rules + add the Force Block Incoming Connections Button seems redundant to me.

Force Block Incoming Connections is enabled by default, but it is in the highest priority and ignores your custom rules.

You can disable Force Block Incoming Connections and add Allow localhost and Block * in global incoming rules. See here: