Golang Docs firewall
Source Code firewall/master.go
The Privacy Filter is one of the most important parts of the Portmaster: It protects your privacy by blocking connections that are deemed a privacy intrusion deemed by you or the Portmaster itself.
It evaluates all connections leaving or entering your system. Filters are applied to both DNS queries as well as network connections. Every request or connection is run through a long list of checks and settings in order to protect your privacy as best possible.
In addition to rule lists and block lists, the Privacy Filter provides a big set of advanced and dynamic filtering options. It also blocks attempts to circumvent the filtering and enforces it everywhere, all the time.
The Portmaster operates on the Network Layer (Layer 3) and focuses on the Internet Protocol, both IPv4 and IPv6. It can monitor and block the following protocols:
TCPUDPICMP/v6 echo requests and replies (no process attribution)There is a small portion of protocols that are absolutely critical for operating systems to correctly bootstrap and interact with the network itself. In order to guarantee network interoperability, the Portmaster always allows DHCP/v6 and ICMP/v6 control and error messages.
Because the Portmaster operates on the Network Layer (Layer 3), it does not see Data Link Layer (Layer 2) data or packets. As these can only live within the local network’s broadcast domain, they do not pose a privacy threat. Regarding other Network Layer protocols, alternatives to IP existed, but they can be safely viewed as extinct.
These are the stages which every connection goes through when being evaluated - from top to bottom:
Before any further processing takes places, Portmaster checks if the connections is one of a few special cases that are always allowed in order to keep everything operational. These are:
If you are using the Simple User Interface, then connections matching these criteria will not show up in order to not confuse you. The Advanced and Developer Interface will show some of these connections.
Incoming or direct connections (P2P) are blocked, if enabled by Force Block Incoming Connections or Force Block P2P/Direct Connections .
Connections are blocked according to their scope if enabled by Force Block Internet Access , Force Block LAN or Force Block Device-Local Connections . This applies to both incoming and outgoing connections.
Connections are matched against the rule list:
Numerous systems and softare use a special domain in order to determine if they are online or not. The Portmaster grants special access to these domains only while Portmaster has not yet detected that the device is online. This improves network bootstrapping.
Processes are prevented from bypassing Portmaster if enabled by Block Bypassing . This includes:
Blocks connection if the domain or IP address is listed in one of the activated Filter Lists .
The Portmaster applies some basic heuristics to detect malicious behaviour in the DNS system if enabled by Enable Domain Heuristics . This currently is rather primitive, but should be able to block the most obvious domains generated by malware, but also DNS tunnels.
If nothing up to this point wanted to have a say in the decision, the Default Network Action is applied.
Golang Docs intel/filterlists
The Filter Lists module is responsible for fetching the filter lists, managing them and providing lightning fast access to them.
All the lists we include, as well as our own, are managed in this Github repo. The collection of sources can be found here.
All these sources are fetched regularly and repackaged into incremental updates, which are distributed via the update system. High frequency lists are updated every hour to give you the best possible protection.
These incremental updates are then “stitched back together” in the Portmaster, as well as fed into a bloom filter in order to provide lightning fast inclusion checks.
The filter lists can be configured in the settings and can be selected by category or indiviually.
You can also add a .txt file as a custom filter list.
Golang Docs intel/geoip
This modules provides IP address metadata. This is usually referred to as “GeoIP”, but in reality there is much more important information in there than just location.
We currently build our own IP metadata database, which includes:
The data comes from DB-IP, IPtoASN and IPFire Location, which we merge into a new database in the mmdb format created by MaxMind.
We will also add more detailed logical Internet location information from our own gathering system in the future.