Install on Linux

  1. Installers
  2. Compatibility Reports
    1. Linux Kernel
    2. Desktop Environments
  3. Requirements
  4. Manual Install and Launching
  5. Security-Enhanced Linux (SELinux)
  6. Desktop Entry
  7. Arch Linux
  8. Troubleshooting
    1. Install Path Change
    2. Check if the Portmaster Is Running
    3. Starting And Stopping the Portmaster
    4. Changing the Log Level
    5. Accessing the Logs
    6. Debugging Network Issues
    7. No Network Connectivity After the Portmaster Stops
  9. Uninstall

This page covers how to install and uninstall the Portmaster on Linux.

Installers

We provide package installers for supported systems:

Please note that we only support the latest stable and LTS versions. We may be able to help out with other systems, but will not be able to invest a lot of time in order to keep focus.

The installers should take care of any needed dependencies. Please report back if they do not!

Please note that the Portmaster updates itself and that the provided packages are only meant for an initial install. Uninstalling the package from your system will properly uninstall and remove the Portmaster.

Compatibility Reports

Help make the Portmaster better for everyone by reporting your experience on different Linux distros.

Linux Kernel

System Version Status Link
Linux Kernel >= 5.7 🟢 confirmed compatible  
  5.6 🟡 issue reported #82
  2.4-5.5 🟢 confirmed compatible  
NixOS 21.05 🟡 issue reported #306

Desktop Environments

Environment Version Status Link
Budgie ? 🟡 issue reported #111
Cinnamon 4.6.7 🟢 reported compatible #297
Deepin DE   request for report  
Gnome 3.38 🟢 confirmed compatible  
  >= 3 🟢 estimated compatible  
KDE Plasma 5.18 🟢 reported compatible #324
LXDE   request for report  
LXQt   request for report  
MATE   request for report  
XFCE ? 🟢 confirmed compatible  

Requirements

The Portmaster Core Service is compatible with the Linux Kernel as of version 2.4, but due to a breaking bug in at least v5.6, we recommend to use v5.7+.

Dependencies:

  • libnetfilter_queue - for network stack integration
  • libappindicator3 - for sending desktop notifications (optional, but recommended)
  • Network Manager - for better integration (optional, but recommended)
Debian/Ubuntu 
sudo apt install libnetfilter-queue1 libappindicator3-1

You may need to enable the universe or multiverse repositories sources on Ubuntu.

Fedora 
sudo yum install libnetfilter_queue
Arch 
sudo pacman -S libnetfilter_queue libappindicator-gtk3

Manual Install and Launching

0. Install dependencies.

1. Download the latest portmaster-start utility and initialize all resources:

# Create portmaster data dir
mkdir -p /opt/safing/portmaster

# Download portmaster-start utility
wget -O /tmp/portmaster-start https://updates.safing.io/latest/linux_amd64/start/portmaster-start
sudo mv /tmp/portmaster-start /opt/safing/portmaster/portmaster-start
sudo chmod a+x /opt/safing/portmaster/portmaster-start

# Download resources
sudo /opt/safing/portmaster/portmaster-start --data /opt/safing/portmaster update

All data is saved in /opt/safing/portmaster. The portmaster-start utility always needs to know where this data directory is.

2. Start the Portmaster Core Service

sudo /opt/safing/portmaster/portmaster-start core

3. Start the Portmaster UI

/opt/safing/portmaster/portmaster-start app

4. Start the Portmaster Notifier

/opt/safing/portmaster/portmaster-start notifier

Your Desktop environment may not (yet) be compatible.

5. Start it on boot

In order to get the Portmaster Core Service to automatically start when booting, you need to create a systemd service unit at /etc/systemd/system/portmaster.service. The following unit file works but excludes most of the security relevant settings. For a more restricted version use this portmaster.service file.

[Unit]
Description=Portmaster Privacy App

[Service]
Type=simple
ExecStart=/opt/safing/portmaster/portmaster-start core --data=/opt/safing/portmaster/
ExecStopPost=-/sbin/iptables -F C17
ExecStopPost=-/sbin/iptables -t mangle -F C170
ExecStopPost=-/sbin/iptables -t mangle -F C171
ExecStopPost=-/sbin/ip6tables -F C17
ExecStopPost=-/sbin/ip6tables -t mangle -F C170
ExecStopPost=-/sbin/ip6tables -t mangle -F C171

[Install]
WantedBy=multi-user.target

Finally, reload the systemd daemon and enable/start the Portmaster:

sudo systemctl daemon-reload
sudo systemctl enable --now portmaster

6. Enjoy!

Security-Enhanced Linux (SELinux)

If you are running with SELINUX=enforcing you probably were not successful with running the Portmaster and might see the following error in your journalctl -u portmaster:

dub 16 22:09:10 dev-fedora systemd[1]: Started Portmaster Privacy App.
dub 16 22:09:10 dev-fedora systemd[30591]: portmaster.service: Failed to execute command: Permission denied
dub 16 22:09:10 dev-fedora systemd[30591]: portmaster.service: Failed at step EXEC spawning /opt/safing/portmaster/portmaster-start: Permission denied
dub 16 22:09:10 dev-fedora systemd[1]: portmaster.service: Main process exited, code=exited, status=203/EXEC

This happens because SELinux will not allow you to run a binary from /opt/safing/portmaster as systemd service. For this to work you need to change the SELinux security context type of portmaster-start binary using the following command:

sudo chcon -t bin_t /opt/safing/portmaster/portmaster-start

Now you can restart the portmaster service and check that the portmaster started up successfully by running:

systemctl restart portmaster
systemctl status portmaster

Desktop Entry

To find and launch the Portmaster from within your desktop environment you need to create a file with metadata which tells your system how to run the Portmaster, which icon it should display in the taskbar, etc. The easiest way to do this on other distributions is to download the latest desktop entry and png icon from the portmaster-packaging repository:

sudo wget https://raw.githubusercontent.com/safing/portmaster-packaging/master/linux/portmaster.desktop  -O /usr/local/share/applications/portmaster.desktop
sudo wget https://raw.githubusercontent.com/safing/portmaster-packaging/master/linux/portmaster_logo.png -O /usr/share/pixmaps/portmaster.png

Right after you download both files the Portmaster should appear in your system search with an icon. If you still cannot see the Portmaster icon, please check whether the portmaster-start path in the desktop entry matches the path of your installation.

Arch Linux

For Arch users we provide a PKGBUILD file in the portmaster-packaging repository. We are currently reworking our installers and plan to submit to AUR as soon as we finished the rework.

For now, to install the Portmaster using the PKGBUILD, follow these steps:

# Clone the repository
git clone https://github.com/safing/portmaster-packaging

# Enter the repo and build/install the package (it's under linux/)
cd portmaster-packaging/linux
makepkg -is

# Start the Portmaster and enable autostart
sudo systemctl daemon-reload
sudo systemctl enable --now portmaster

Troubleshooting

Install Path Change

Installs before November 2021 were located in "/var/lib/portmaster", while new installs are located in "/opt/safing/portmaster".

The docs only reference the new path, but your system might still be using the old one. In order to upgrade your path you can re-install the Portmaster with the newest installer.

Check if the Portmaster Is Running

You can check if the Portmaster system service is actually running or if it somehow failed to start by executing the following command:

sudo systemctl status portmaster

This should show something like active (running) since <start-time>. Please also check if the start time seems reasonable. If it seems strange, try looking at the logs.

Starting And Stopping the Portmaster

If you encounter any issues you might want to (temporarily) stop the Portmaster. You can do this like this:

# This will stop the portmaster until you reboot.
sudo systemctl stop portmaster

# This will disable automatically starting the Portmaster on boot.
sudo systemctl disable portmaster

Changing the Log Level

When debugging or troubleshooting issues it is always a good idea to increase the debug output by adjusting the Log Level .

Accessing the Logs

Portmaster logs can either be viewed using the system journal or by browsing the log files in /opt/safing/portmaster/logs. Installs before November 2021 used /var/lib/portmaster instead. In most cases, the interesting log files will be in the core folder.

# View logs of the Portmaster using the system journal.
sudo journalctl -u portmaster

# You can also specify a time-range for viewing.
sudo journalctl -u portmaster --since "10 minutes ago"

Debugging Network Issues

Due to the Portmaster being an Application Firewall it needs to deeply integrate with the networking stack of your operating system. That means that “no network connectivity” might be caused at different points during connection handling. The following steps will help you to figure out where the actual issue comes from. Please include any output of the below commands in any related issues as it is very valuable in debugging your problem.

1. Check if the Portmaster Is Actually Up and Running
2. Test Direct Network Connectivity

The Portmaster includes a local DNS resolver to provide its monitoring and some filtering capabilities. In order to track down the issue, connect directly to an IP address. Should this work, this would indicate that there is a problem with the Portmaster’s DNS resolver.

# Check if a ping message succeeds.
# The Portmaster currently always allows ping messages.
ping 1.1.1.1

# Check if an HTTP request succeeds.
# In case of an error, look for "curl" in the network monitor of the Portmaster.
curl -I 1.1.1.1

# Or use wget to check if an HTTP request succeeds.
# In case of an error, look for "wget" in the network monitor of the Portmaster.
wget -S -O /dev/null 1.1.1.1
3. Test DNS Resolving

If the above step works the issue most likely resides somewhere at the DNS resolving level. To confirm, please try the following:

# Check if a DNS requests suceeds.
# In case of an error, look for "dig" in the network monitor of the Portmaster.
dig one.one.one.one
dig wikipedia.org

# Or use nslookup to check if a DNS requests suceeds.
# In case of an error, look for "nslookup" in the network monitor of the Portmaster.
nslookup one.one.one.one
nslookup wikipedia.org

No Network Connectivity After the Portmaster Stops

In case of a rapid unscheduled shutdown, the Portmaster may sometimes fail to cleanup its iptables rules and thus break networking. To work around this either use the recommended systemd service unit included in our installers or execute the following commands:

sudo /opt/safing/portmaster/portmaster-start recover-iptables

Uninstall

Uninstalling the portmaster package from your system will properly uninstall and remove the Portmaster.

Most distros will have a graphical software and package manager for uninstalling.
You can easily find it by opening the "Start Menu" and searching for "software".

Debian/Ubuntu 
sudo apt purge portmaster
Fedora 
sudo yum remove portmaster
Arch 
sudo pacman -Rnsu portmaster