Application Profiles are how you can control which application is allowed to connect to the Internet and how. Applications are matched by their installation path - be sure to have to path to the binary right to have a Profile applied (you can check the logs or the monitor tab in the UI).
All of the properties are explained where they are appear on settings page (press the small i icon), here we will go through them in some more detail:
- Name: Name of the application.
- Description: Description of the application. Meant for when users discover applications they know nothing about in the monitoring tool in the UI.
- Security Level: Define the minimum Security Level (and it’s configured features) that should be applied with this Profile.
- Default: Define this profile as a default Profile. See explanation in section Default Profiles below.
- Framework, Find, Build, Virtual, Find parent level, Merge with parent: These are some kind of Helper-Profiles used to rematch special applications to correct profiles. See explanation in section Framework Profiles below.
- Domain Whitelist: Define a domain whitelist for this Profile, connections to all other domains will be denied.
- ConnectPorts:: Define a whitelist of remote TCP/UDP ports that applications are allowed to connect to.
- ListenPorts:: Define a whitelist of local TCP/UDP ports applications may listen on. Please note that the
Service Flag needs to be set in order to allow listening at all.
Flags are an easy way to require or constraint to an application to a certain behavior.
- Executing User
- System: System apps must be run by system user, else deny
- Admin: Admin apps must be run by user with admin privileges, else deny
- User: User apps must be run by user (identified by having an active safing UI), else deny
- Network Scope
- Internet: Internet apps may connect to the Internet, if unset, all connections to the Internet are denied
- LocalNet: LocalNet apps may connect to the local network (i.e. private IP address spaces), if unset, all connections to the local network are denied
- Network Destinations
- Strict: Strict apps may only connect to domains that are related to themselves
- Service: Service apps may accept incoming connections
- Direct Connect: These apps may directly connect to an IP address, without resolving DNS first. This is unusual and makes it harder to protect privacy, but may be required for P2P applications.
- Gateway: Gateway apps will connect to user-defined servers. Currently not in use.
- Browser: Browsers are special in that their behavior cannot really be defined. Currently not in use.
Because it is infeasible to have a separate Application Profile for every program you directly or indirectly use, you can also define a Profile for whole folders. These Profiles are called
Default Profiles and are matched on a path prefix basis instead of an exact match basis.
This system is work in progress.
Sometimes a program path may not be the real entity that is executing code. Framework Profiles provide a means to identify the real actor behind a program. For example, when a python script is executed, the program path will be python interpreter, but we actually want to match against the script that is executing, not the interpreter.
- Framework: Defines that this Profile is a Framework profile. The program path will be rewritten and a new match will be tried. Should the new path not produce a match, this profile will be used as a fallback.
Going down the process tree - eg. finding the actual script of an interpreter:
- Find: Regex to find match groups within the path.
- Build: String that uses the regex match groups to build a new path. The resulting path is checked if it exists.
- Virtual: Do not check if the built path exists. This is useful to construct virtual namespaces for special categories of applications, like containerized/sandboxed applications.
Going up the process tree, using the path of the parent process to match a profile:
- Find parent level: Defines the number of levels to traverse the process tree up.
- Merge with parent: If true, view connections of this process as a part of the identified parent process.