For everyone trying to find out what the main product is: Portmaster seems to be a local Pihole kind of thing which injects itself into the DNS resolution locally.
The website could be better at explaining that and general discoverability.
I think the DNS resolution is only one feature. The screenshot shows active connections, including duration and the local process path. That's a lot more powerful and interesting than a local PiHole.
Nope. Portmaster is a full fledged application firewall. Bypassing is not trivial, if not impossible.
SPN is _not_ part of the free version. If you can pinpoint where you might have gotten this feeling, it would be great if you could tell us - then we can improve!
I meant - does it route everything through an SPN (someone else's server).
The question arising is not necessarily your fault, more like healthy skepticism because other products turn out to be a service and you don't realize they've made themselves a dependency.
If you enable the SPN, everything is routed through the SPN by default and will go over at least two hops. You can change this to your preference. Most things can be configured per-app.
The SPN is the only service-like feature, all other features are 100% local. The only dependency is that updates - including intelligence data - is downloaded from our servers: Traffic is encrypted and binaries are signed "end-to-end", intel data will be signed soon.
the highlight of that discussion is that even though it's opensource, you can't really build it by yourself because the build process is not documented and it's not a priority for the developers
I wonder who is running these SPN Nodes? Just as with tor, if a agency runs a large amount of the nodes, woudnt it completely compromise the network? What if people abuse the system and ip's get blacklisted from services.
Suppose `curl` makes an outbound connection. I can add a rule for `curl`, but the rule cannot make use of the parent process hierarchy. Without this, any application could proxy through curl to evade firewall rules. For example if the process tree is git -> perl -> curl, I probably want to allow it, but spotify -> curl I want to deny. Another example is I probably want to allow (explicitly started) bash -> curl, but deny spotify -> bash -> curl.
Does Portmaster support this? If so I'll take it for a spin!
This is exactly the things we are aiming for, as Portmaster is intended to be as easy to use as possible.
We currently already have special support for AppImage and Snap packages on Linux and Windows Store apps and "svchost.exe services" on Windows. Additionally, we can detect common interpreters on Linux and correctly match the script file instead of the interpreter.
The support for these systems is implemented as "tags", which are attached to a process internally in Portmaster. These tags are then used to match a settings profile.
We almost had an implementation ready for what you want (matching the parent process), but we had to abort due to some difficulties in matching: The questions we could find a good answer for, was where do we put the information whether which binaries are merged into / inherit from the parent? The ideal scenario from a UX perspective would be to declare it on the parent as an "include all sub-processes" option. But this would mean we would need to fully resolve all parent processes including their settings every time we evaluate a process. We deemed this to be too slow and too complex for a quick and clean solution. If you or anyone else has a great idea, I'd be happy to have a call to discuss.
deny spotify the capability to start other processes?
although i don't quite understand your example. spotify needs network access to be useful, doesn't it? so what would blocking spotify -> curl protect against?
in general though, if a program doesn't have the capability to start outbound connections, then any child processes won't have it either. there is also a distinction which capabilities are inherited so that you can have a process with networkaccess, but without being able to pass that on to child processes.
Does this suffer from the same problem as VPNs, where a valid subpoena can force the companies hand to subvert connection to the safing servers from a specific IP address?
No. The SPN uses multiple hops with onion encryption - just like Tor.
Your user/pass is never sent to the network servers, but only to the account server, which gives you blind-signed access tokens, so the servers of the network only knows that you are allowed to access, but not who you are.
Yeah. This is a feature that caught my eye too. Blocking internet access to certain apps entirely. I do that actively on Android but it's been tough to do that on the laptop. Maybe Portmaster becomes the answer I want.
> Currently, we support Windows and Linux. We are planning on supporting Mac and Mobile in the future too, so everybody can enjoy easy privacy with their preferred operating system.
The website could be better at explaining that and general discoverability.
Kudos for full IPv6 support.