This site is migrating to wiki.safing.io, which is being maintained by Safing and the community alike.

Privacy Filter

  1. Privacy Filter
  2. Supported Protocols
  3. Connection Evaluation Stages
  4. Filter Lists
  5. IP Metadata

Privacy Filter

Golang Docs

The Privacy Filter is one of the most important parts of the Portmaster: It protects your privacy by blocking connections that are deemed a privacy intrusion deemed by you or the Portmaster itself.

It evaluates all connections leaving or entering your system. Filters are applied to both DNS queries as well as network connections. Every request or connection is run through a long list of checks and settings in order to protect your privacy as best possible.

In addition to rule lists and block lists, the Privacy Filter provides a big set of advanced and dynamic filtering options. It also blocks attempts to circumvent the filtering and enforces it everywhere, all the time.

Supported Protocols

The Portmaster operates on the Network Layer (Layer 3) and focuses on the Internet Protocol, both IPv4 and IPv6. It can monitor and block the following protocols:

  • TCP
  • UDP
  • ICMP/v6 echo requests and replies (no process attribution)
  • Any other IP based protocol (no process attribution)

There is a small portion of protocols that are absolutely critical for operating systems to correctly bootstrap and interact with the network itself. In order to guarantee network interoperability, the Portmaster always allows DHCP/v6 and ICMP/v6 control and error messages.

Because the Portmaster operates on the Network Layer (Layer 3), it does not see Data Link Layer (Layer 2) data or packets. As these can only live within the local network’s broadcast domain, they do not pose a privacy threat. Regarding other Network Layer protocols, alternatives to IP existed, but they can be safely viewed as extinct.


Connection Evaluation Stages

These are the stages which every connection goes through when being evaluated - from top to bottom:

Special and Edge Cases

Before any further processing takes places, Portmaster checks if the connections is one of a few special cases that are always allowed in order to keep everything operational. These are:

  • Network Management Connections
    • Automatic network configuration via DHCP and DHCPv6
    • Network error messages via ICMP and ICMPv6
  • Portmaster Itself
    • Outgoing connections from Portmaster (Corresponding features can be disabled)
    • Device-Local incoming connections to Portmaster
  • Internal App Connections
    • Connections that come from and go to the same app/binary, even if they are different processes.

If you are using the Simple User Interface, then connections matching these criteria will not show up in order to not confuse you. The Advanced and Developer Interface will show some of these connections.

Connection Type

Incoming or direct connections (P2P) are blocked, if enabled by Force Block Incoming Connections or Force Block P2P/Direct Connections .

Connection Scope

Connections are blocked according to their scope if enabled by Force Block Internet Access , Force Block LAN or Force Block Device-Local Connections . This applies to both incoming and outgoing connections.

Rules

Connections are matched against the rule list:

  1. Outgoing Rules
    Rules that apply to outgoing network connections. Cannot overrule the above mentioned Connection Scopes and Connection Types.
  2. Incoming Rules
    Rules that apply to incoming network connections. Cannot overrule the above mentioned Connection Scopes and Connection Types.
Connectivity Domains

Numerous systems and softare use a special domain in order to determine if they are online or not. The Portmaster grants special access to these domains only while Portmaster has not yet detected that the device is online. This improves network bootstrapping.

Bypass Prevention

Processes are prevented from bypassing Portmaster if enabled by Block Secure DNS Bypassing . This includes:

  • Notifying Firefox that it should not use its own DNS-over-HTTPS resolver, but fall back to plain DNS, which the Portmaster then handles securely for you.
  • Blocking known domains and IPs of DoH and DoT nameservers.
Filter Lists

Blocks connection if the domain or IP address is listed in one of the activated Filter Lists .

Domain Heuristics

The Portmaster applies some basic heuristics to detect malicious behaviour in the DNS system if enabled by Enable Domain Heuristics . This currently is rather primitive, but should be able to block the most obvious domains generated by malware, but also DNS tunnels.

Default Network Action

If nothing up to this point wanted to have a say in the decision, the Default Network Action is applied.

Filter Lists

The Filter Lists module is responsible for fetching the filter lists, managing them and providing lightning fast access to them.

All the lists we include, as well as our own, are managed in this Github repo. The collection of sources can be found here.

All these sources are fetched regularly and repackaged into incremental updates, which are distributed via the update system. High frequency lists are updated every hour to give you the best possible protection.

These incremental updates are then “stitched back together” in the Portmaster, as well as fed into a bloom filter in order to provide lightning fast inclusion checks.

The filter lists can be configured in the settings and can be selected by category or indiviually.

IP Metadata

Golang Docs

This modules provides IP address metadata. This is usually referred to as “GeoIP”, but in reality there is much more important information in there than just location.

We currently build our own IP metadata database, which includes:

  • Continent
  • Country
  • Coordinates
  • ASN (Autonomous System Number)
  • Owner (Organization)

The data comes from DB-IP, IPtoASN and IPFire Location, which we merge into a new database in the mmdb format created by MaxMind.

We will also add more detailed logical Internet location information from our own gathering system in the future.