• 2 Posts
Joined 1Y ago
Cake day: Jun 25, 2020


OpenSnitch is modeled after LittleSnitch: It intercepts connections and if there is no rule that matches, it asks you what to do. This is a very simple and effective tool, IF you know your way around all the technical stuff and understand what these prompts tell you.

The Portmaster is aimed to bring privacy to everyone, even and especially to non-technical people. No worries, there will loads of stuff for all the hardcode people! While there is a similar “ask” mode to Open/LittleSnitch (currently still broken and classed as an experimental feature, sorry), the focus is on more intelligent functionality:

  • Restriction via network scope: Localhost, LAN, Internet
  • Ability to deny any peer to peer communication (connections without associated DNS query)
  • Integrated DNS-over-TLS resolver
  • Ad/Tracker/Malware domain based filter lists with hourly incremental updates
  • Security Levels to quickly switch between settings to adapt to threats
  • … and so forth
  • In addition to all this, we will launch the biggest feature of all soon, the SPN, a brand new privacy network that somewhat compares to Tor and VPNs, but still is different: https://safing.io/spn/

Important note: The Portmaster is still in alpha, but it works quite well!

I understand you mean to run the Portmaster as a network service (?). The Portmaster is not meant to run this way, as its strength comes from the ability to know exactly which process is communicating with which entity on the Internet.

It tightly integrates with OS using iptables on Linux and a custom Kernel Extension on Windows. Portmaster being a software also means that you’re not bound to an extra piece of hardware and can take it along! Further, it can also regulate peer to peer communication, which is not possible with something like the Pi-Hole.

While it would be possible to use the Portmaster in combination with a Pi-Hole, there are several caveats:

  • You won’t be using the integrated DNS-over-TLS resolver. (Afaik, Pi-Hole needs additional work for encrypted DNS.)
  • If you use the DNS Filter Lists in Portmaster, blocked queries will not even reach the Pi-Hole as they are already blocked on you device directly. This will skew the statistics and history of this device on the Pi-Hole.
  • While you can set fallback DNS servers for when you are on the go, the IP address of your Pi-Hole could be used by another DNS server and possibly open you up to attacks. This is not a problem if you always use the Pi-Hole. Edited to add: just remembered that this will be solved automatically in the future, as the Portmaster would detect you are in a foreign network and disable insecure DNS resolvers. 🎉

When the Portmaster reaches beta or stable, it will cover most of the single-device functionality the Pi-Hole offers.

I see. (Thanks /u/ajz !)

PET is also part of NGI Zero, so I guess you applied for the Search and Discovery Fund?

We tried PET once with https://safing.io/ but their feedback was a bit inconclusive. We might try again. Anyway, I am really looking forward to how lemmy will evolve! :D

Disclaimer: I am the Lead Dev. I thought this would be a very fitting community to share this with ;)…

That is amazing! Congratulations! Was this the PET branch?