Application Profiles are how you can control which application is allowed to connect to the Internet and how. Applications are matched by their installation path - be sure to have to path to the binary right to have a Profile applied (you can check the logs or the monitor tab in the UI).

Properties  profiles#Profile

All of the properties are explained where they are appear on settings page (press the small i icon), here we will go through them in some more detail:

  • Name: Name of the application.
  • Description: Description of the application. Meant for when users discover applications they know nothing about in the monitoring tool in the UI.
  • Security Level: Define the minimum Security Level (and it’s configured features) that should be applied with this Profile.
  • Default: Define this profile as a default Profile. See explanation in section Default Profiles below.
  • Framework, Find, Build, Virtual, Find parent level, Merge with parent: These are some kind of Helper-Profiles used to rematch special applications to correct profiles. See explanation in section Framework Profiles below.
  • Domain Whitelist: Define a domain whitelist for this Profile, connections to all other domains will be denied.
  • ConnectPorts:: Define a whitelist of remote TCP/UDP ports that applications are allowed to connect to.
  • ListenPorts:: Define a whitelist of local TCP/UDP ports applications may listen on. Please note that the Service Flag needs to be set in order to allow listening at all.

Flags  profiles#Profile

Flags are an easy way to require or constraint to an application to a certain behavior.

  • Executing User
    • System: System apps must be run by system user, else deny
    • Admin: Admin apps must be run by user with admin privileges, else deny
    • User: User apps must be run by user (identified by having an active safing UI), else deny
  • Network Scope
    • Internet: Internet apps may connect to the Internet, if unset, all connections to the Internet are denied
    • LocalNet: LocalNet apps may connect to the local network (i.e. private IP address spaces), if unset, all connections to the local network are denied
  • Network Destinations
    • Strict: Strict apps may only connect to domains that are related to themselves
    • Service: Service apps may accept incoming connections
    • Direct Connect: These apps may directly connect to an IP address, without resolving DNS first. This is unusual and makes it harder to protect privacy, but may be required for P2P applications.
  • Special
    • Gateway: Gateway apps will connect to user-defined servers. Currently not in use.
    • Browser: Browsers are special in that their behavior cannot really be defined. Currently not in use.

Default Profiles  profiles#Profile

Because it is infeasible to have a separate Application Profile for every program you directly or indirectly use, you can also define a Profile for whole folders. These Profiles are called Default Profiles and are matched on a path prefix basis instead of an exact match basis.

Framework Profiles  profiles#Framework

This system is work in progress.

Sometimes a program path may not be the real entity that is executing code. Framework Profiles provide a means to identify the real actor behind a program. For example, when a python script is executed, the program path will be python interpreter, but we actually want to match against the script that is executing, not the interpreter.

  • Framework: Defines that this Profile is a Framework profile. The program path will be rewritten and a new match will be tried. Should the new path not produce a match, this profile will be used as a fallback.

Going down the process tree - eg. finding the actual script of an interpreter:

  • Find: Regex to find match groups within the path.
  • Build: String that uses the regex match groups to build a new path. The resulting path is checked if it exists.
  • Virtual: Do not check if the built path exists. This is useful to construct virtual namespaces for special categories of applications, like containerized/sandboxed applications.

Going up the process tree, using the path of the parent process to match a profile:

  • Find parent level: Defines the number of levels to traverse the process tree up.
  • Merge with parent: If true, view connections of this process as a part of the identified parent process.