Portmaster uses iptables and nfqueue to inspect and control network traffic. The nfqueue allows packets to be handed over to user space and return a verdict and set a mark on that connection. https://docs.safing.io/portmaster/architecture/os-integration#linux
It is *far* easier to use to and could be seen as a kind of GUI for iptables, but with detailed granularity unlike ufw https://wiki.archlinux.org/title/iptables#Graphical
I only use it on my local machine, not servers. It helps when I'm running a random electron app (eg Obsidian with Flatseal to isolate the file system) I get to see connection attempts and authorize/block them on an individual basis, it would be very menial to write those rules in iptables.
The Portmaster Core Service cannot do all this magic by itself. It works closely together with the Operating System’s Core - the Kernel. https://docs.safing.io/portmaster/architecture/overview
They plan a kernel module in future but so far I've not had any use case that would require that. The free version is more feature rich than the paid for product 'Little Snitch' on OSX, and they promise to retain that free tier.
Very interesting. I guess the main advantage is dynamic filtering and scriptabilty, something that can be hard with bare iptables.
For my simple use case (home network, home vpn, remote VPS, and external VPN) I still prefer vanilla iptables. It gets the job done, I understand most of it and I feel in more in control.
Also, iptables frontends might have serious vulnerabilities of their own. Once a good friend of mine had his VPS hacked due to a ufw and docker CVE.
I'd highly doubt there could be an actual vulnerability for a firewall like this. It looks like the ufw & docker issue was due to docker not respecting ufw rules, requiring iptables to be disabled before it would follow ufw rules. Its not a vulnerability per-se but more of a configuration issue. https://www.techrepublic.com/article/how-to-fix-the-docker-and-ufw-security-flaw/ My own experience (when I last tried using it 10 years ago) was that iptables has a huge number of flags and positional arguments to memorize, and then time testing every change made to see whether it had worked. I was admittedly using it to make my server act as a firewall and pass through internet traffic to the rest of my lan on a different interface, something portmaster can't do. Glad you feel comfortable with it. FWIW portmaster does have several other neat features like custom DNS, monitoring, filter lists (eg Ads/malware) and the paid version can do inspection on individual applications.
You're right, it was more of an issue with docker than with ufw. But there's still a lesson in it: more moving pieces, more stuff that can go wrong.
For me, there's more likelihood I'd mess up an iptables configuration and leave a glaring hole for things leak through. With portmaster I have most apps on prompt by default so I get to evaluate things & add more rules on a per-app per-connection basis that I could never handle with iptables.
