Portmaster and SPN by Safing.io

bedna · 24 October 2023 14:30

It seems you misunderstand.
I want to utilize my hundreds of thousands of url:s in the piholes blocklists, not the portmaster lists that apparently usually contains less than 10 urls.

And If I try to DISABLE portmaster list blocking, it still leaks outside of my designated DoH configured DNS (pihole)

I posted the drill commands above, the first should also report 0.0.0.0

Edit
These are also mentioned in the documentation, I actually missed that. No idea how they are implemented though (ie, how do I disable them? Do I have manually edit sources.yml?), but fair should be fair.

mithrial · 24 October 2023 15:19

Where did you set the DNS?

omano · 24 October 2023 16:33

The one acting like an ass in this topic is you, but I guess you can’t see that. How many ass in this thread spent that much time to provide you with what you needed? All the sources and documentation explaining all your questions?

If you’re so much worried about PortMaster, I would suggest you don’t bother asking random people on the internet, but contact them directly and ask them questions directly. Then tell them they are ass because they replied to you.

linux-aarhus · 24 October 2023 17:40

@bedna
Portmaster is not a VPN but a service.

Just like many other services you can use parts of it for free - if you want more - you pay for it and that is perfectly legit.

It’s like a free meal as in gratis - if you don’t like it - don’t eat …

I once worked with a swedish guy - his name was Jerker - that was a joke …

bedna · 24 October 2023 21:19

If you are asking where on the network, the dhcp server (happens to be the same as router) ofc.

The tread is called “Portmaster and SPN by safing.io” in “Manjaro Developemend QA”.
I’m sorry I guess, I took for granted a QA thread was for QA.

Ok… I never thought it was either…? Not sure why you came to that conclusion.

I 100% agree to that, if the program worked like that. The problem is the feature that is supposedly free (filter lists) is not free, because in filtering you assume you will SEE what is being filtered.

But ok then, lets disable that part of the program (filtering) and ONLY use port blocking.
But as I described above, after DISABLING filter lists, they do NOT become disabled.

I honestly thought this thread was to ask questions about portmaster, if not, should it not be closed by now?

LOL, and a good one, I have actually never heard that before.

But questioning flaws is not equal to being a jerk. Unless portmaster is supposed to work like this (leaking outside the ONLY defined DNS), this is def not a jerk situation but rather a big flaw in the program. Depending on who you ask it can also be pretty serious.

If it is by design the whole section about “manual configured DNS” should simply be removed or WARN THAT PORTMASTER WILL DO DNS REQUESTS OUTSIDE OF THE DEFINED DNS!!!

What i suspect is happening, but can not confirm without PAYING THEM (for logs) is that dns requests can:

Leak outside, like is mentioned in the reddit thread, I constantly see Portmaster complain about “slow dns requests” even though they are sub 25ms)
DNS requests are cached by portmaster somewhere.

soundofthunder · 24 October 2023 22:54

Regarding these default blocklists;

Is there any official clarification as to the reasoning behind the apparent sparsity of these lists?

Are they meant as placeholders for the User to replace with their own; or perhaps container files for imported external lists?

Or, are the examples shown above presumed somehow to be sufficient?

These are valid questions, so please do not try to deflect with the obvious fact that one can provide their own blocklists. Thanks.

omano · 25 October 2023 06:47

From usage they are obviously not one liners lists.

Zesko · 25 October 2023 07:17

Portmaster setting (Advanced Interface) → Privacy Filter → Block Secure DNS Bypassing that is enabled by default.

Block Secure DNS Bypassing

Prevent apps from bypassing Portmaster’s Secure DNS resolver. If disabled, Portmaster might have reduced information to correctly enforce rules and filter lists. Important: Portmaster’s firewall itself cannot be bypassed.

Current Features:

Disable Firefox’ internal DNS-over-HTTPs resolver

Block direct access to public DNS resolvers

Please note that DNS bypass attempts might be additionally blocked in the Sytem D there too.

Edit://

Git commit [057d16] Block DNS requests with IPs 0.0.0.17 and ::17

Raphty · 25 October 2023 07:47

So I wanted to reply a couple days ago, and I probably should have

I guess the main issue is that people don’t read…

The second paragraph in the repository:

External Sources

All Portmaster’s external sources are listed in the sources.yml.

When you click that link it brings you to a list with hundreds of filter lists we integrate.

some additional info about this process can be found here:
https://wiki.safing.io/en/Portmaster/Architecture/PrivacyFilter#filter-lists-1

We collect the domains of all those lists and de-duplicate them so to save on file size and you download updates hourly with all the new information.

In regards to the logs…
People sometimes say: “pleas delete my browser history when I die…” well your pi-hole is an external browser history and storing it is a privacy nightmare and tbh somewhat stupid.
Portmaster keeps the last 10 min in memory and does not write anything to disk so nothing can grab that information!
Yes there is a history module where you can record the network activity for any application for longer, but pleas don’t use it on your browser , and yes it is a paid upgrade.

Also thanks @Zesko @omano and @linux-aarhus thanks for being nice, and helpful. People who are “asking” questions and then just start renting/venting can destroy a good and productive conversation. But your ethics steer this back to a good place! Thank you

Also FYI my feedly gives me alerts for this forum from time to time so I do read most of the comments here, and I might be back sooner rather then later

added later:

I forgot to mention: if you have a favorite filter list that is not included in the sources.yml, then pleas open an issue in that repo and we will look into including that list… Having the best lists for all and not everyone for themselves is the way to got

soundofthunder · 25 October 2023 10:09

As this thread purports to be a Portmaster QA, by virtue of its forum location, the need to RTFS is irrelevant. The questions here should have prompted simple enough answers, as they did.

The .yml file confirms my initial assumption.
Thank you, I appreciate the response.

Considering most of the sources indicated have multiple lists available; and with the small sampling given above; it wasn’t obvious at all; thus my request for clarification. Clearly, they are not one-liner lists, as you call them. Thanks for your input, regardless.

omano · 25 October 2023 11:24

As I said, from usage, you know when you use it, it is not one line blocklists, they are imported, and merged as explained in the documentation linked above. Also Zesko pointed out from the GUI you can check the source of the list. From usage I also explained a case earlier, where I had to disable multiple lists to be able to join online games because there was many Microsoft servers/services blocked so it adds t othe fact that the lists are actually list, containing more than one line of sources.

soundofthunder · 25 October 2023 11:26

Thank you for explaining; beyond your one-liner.

Cheers.

linux-aarhus · 26 October 2023 09:31

The reason is - your mention of leaking - which is the concept of DNS requests going to a DNS outside your VPN tunnel - usually due to misconfiguration.

As Portmaster is not a VPN leaking cannot occur.

If one has expectations but don’t know how Portmaster works this is not Quality Assurance issue - would be better discussed in a separate thread.

bedna · 27 October 2023 11:39

Never said it was, I was saying that something within portmaster is leaking.
At install (IIRC) there were TWO DNS servers specified in portmaster, cloudflair I think.
I have changed that to ONLY use my specified DNS.

Made a tiny bit of testing. I disabled the DNS to see how portmaster would react, surprise surprise, a notification telling me it will use OTHER DNS servers (what server, not so clear) because “I have no internet” and I could still use internet. Suuuuure, its not leaking at all.
(Yes, I have disabled the dns usage in firefox)

Since they are not interested in finding out what is going on (I only posted to help) I went from not using it to uninstalling, most ppl here adviced that anyway, and uninstalling was always an option.

I also stopped using youtube this week after they trying to force me to pay them.

Pretty sure I am not alone with a pihole setup, and if they do not want these 2 things working together, well lets just put it this way. If the choice is between a paywalled software and a completely free well tested software, the choice is easy.

My bad, I misunderstood. I’ll just uninstall and retreat.

Zesko · 28 October 2023 07:10

Have you tried disabling Block Secure DNS Bypassing in the Portmaster setting?

I already mentioned above:

Check the current source code with the comment:

github.com

safing/portmaster/blob/beed574fa3886ae514dd66229aac368c086968bf/nameserver/nsutil/nsutil.go#L59


      
          func (rf ResponderFunc) MarshalJSON() ([]byte, error) {
          	return json.Marshal(nil)
          }
          
          // BlockIP is a ResponderFunc than replies with either 0.0.0.17 or ::17 for
          // each A or AAAA question respectively. If there is no A or AAAA question, it
          // defaults to replying with NXDomain.
          func BlockIP(msgs ...string) ResponderFunc {
          	return createResponderFunc(
          		"blocking",
          		"0.0.0.17",
          		"::17",
          		msgs...,
          	)
          }
          
          // ZeroIP is a ResponderFunc than replies with either 0.0.0.0 or :: for each A
          // or AAAA question respectively. If there is no A or AAAA question, it
          // defaults to replying with NXDomain.
          func ZeroIP(msgs ...string) ResponderFunc {
          	return createResponderFunc(

and check the function PreventBypassing()

github.com

safing/portmaster/blob/beed574fa3886ae514dd66229aac368c086968bf/firewall/bypassing.go#L18


      
          	"github.com/safing/portmaster/nameserver/nsutil"
          	"github.com/safing/portmaster/network"
          	"github.com/safing/portmaster/network/packet"
          	"github.com/safing/portmaster/profile/endpoints"
          )
          
          var resolverFilterLists = []string{"17-DNS"}
          
          // PreventBypassing checks if the connection should be denied or permitted
          // based on some bypass protection checks.
          func PreventBypassing(ctx context.Context, conn *network.Connection) (endpoints.EPResult, string, nsutil.Responder) {
          	// Exclude incoming connections.
          	if conn.Inbound {
          		return endpoints.NoMatch, "", nil
          	}
          
          	// Exclude ICMP.
          	switch packet.IPProtocol(conn.Entity.Protocol) { //nolint:exhaustive // Checking for specific values only.
          	case packet.ICMP, packet.ICMPv6:
          		return endpoints.NoMatch, "", nil
          	}

This was a feature that was expected for some reason.

Raphty · 7 November 2023 12:04

For me to understand this threat correctly, the QA stands for Quality Assurance not Question and Answer, is this correct?

I love feedback and we know Portmaster still has room to grow, so QA feedback is super welcome.
I check in here every other week or so and I read through all messages, so nothing gets lost.

Thanks for all the help.

soundofthunder · 7 November 2023 21:04

QA – Quality Assurance
Q&A – Question and Answer

At least, that has always been my understanding.

omano · 7 November 2023 23:37

Hover the mouse cursor above the category under the title, you have the tool tip telling you what it is.

bedna · 26 November 2023 12:03

I backed off when I was more or less told to.
I’m “not nice” apparently, but your response would probably have been very helpful if I still had it installed.

EVERYTHING except port blocking was disabled in the interface, I am 1000% sure of that.

When I read your response I felt really bad for you taking the time to try to help, thank you for that.
I no longer use the program so I can not help to test (witch was the only reason I started the conversation in the first place, I wanted to help to try to find out WHY)

Edit
And for the portmaster person responding, I was not looking for dns records or anything, I was looking for normal logs from portmaster, I totally get that the blocklists are paywalled in this situation, the problem was that I COULD NOT DISABLE THE BLOCKING/BYPASSING!

Zesko · 2 December 2023 12:03

If you want to be prompted by a pop-up notification about a new connection,
go Global Settings → Privacy Filter → General → Default Network Action → Change Allow to Prompt

For example:

When any program wants to connect a new domain for first time, the notification will prompt you whether you accept the connection or not. This is your judgement:

Screenshot_20231202_124324

Edit:

If you trust an app, you do not want to be prompted by many notifications about this app (that connects to random different domains), you can change Prompt to Allow for this app setting instead of global setting.

For example:

I don’t want a lot of new random Firefox connections asking me a lot like spams,
then go Portmaster → Apps → Firefox → Settings for Firefox only (NOT global settings for all apps) → Default Network Action → Change Prompt to Allow.
It no longer notifies me as expected, that’s simple.