For years I have been telling myself to install an application firewall.
Any suggestions for the best ones to try? OpenSnitch has been around the longest but there are several newer apps as well.
NOTE: Tools like firewalld and ufw are network firewalls. I am looking for something to complement my network firewall, not replace it.
I use a combination of ufw and OpenSnitch. I am no expert but I think/hope that it has been working well so I haven’t looked further.
Once I installed Portmaster but I didn’t take my time to configure it well so I uninstalled it.
I had never heard of something like this on the desktop, only something like ModSecurity on the server but I went looking around and came across one. Not sure how much it adds to a desktop system?
In what way does it add to your network firewall.
As I was typing @cactux replied first and linked the one I found that looked interesting, that is Portmaster.
It does something completely different. You can use it to selectively block traffic coming from applications. It is mostly useful for managing outbound traffic.
It can also be used diagnostically to monitor what your applications are doing.
Since modern compromises generate traffic from inside, I would say very applicable to a desktop.
Never thought of it that way, sounds like a good reason to try it myself as well. So I’ll be trying out Portmaster myself as well then.
I remember that I was a little overwhelmed by its GUI. But that’s me. I admit it is kind of beautiful and I am sure it is pretty good at what it does.
I find OpenSnitch more austere and intuitive to use.
Not a application firewall but interesting thing too:
Portmaster looks interesting, but I don’t want to pay $10+/month to actually use the features. I don’t need it, but yes, it does look interesting.
I tried it for a short period a couple of years ago. No, it’s not a free software. I think the free version did cover the basic functionalities of an application level firewall but I may not remember correctly.
you are talking to a simpleton here.
Say your firewalld is dialed in, you are skimpy with your zones, most incoming rejected and most outgoing accepted.
What’s the worst a chatty app could do to you, for instance? Give me some kind of threat profile or a what if?
I’m very intrigued by this but not wrapping my head entirely around an application firewall. Isn’t firejail/sandbox similar?
not just at Dalto, but questions for anyone who has a POV. Graci!
Personally, I’d just (mostly) use it for information, like why is that app dialing home? What is it telling them?
How would you actually do this and still have your machine be usable? It is easy to use a network firewall to block incoming traffic but blocking outgoing traffic is hard on a desktop because traffic can go anywhere.
With an application firewall, you can see where traffic is going on a per-application basis which makes it much easier to see what is happening. Further, you can block certain applications and not others.
For example, I can say block all traffic from applications unless I specifically allow that application to have outbound traffic. Taking it a step further, you can allow an application to have traffic but stop only that application from talking to specific destinations.
Within 10 minutes of installing opensnitch I have seen some interesting things. For example, vivaldi, brave and firefox were all sending traffic to themselves. I easily blocked those destinations while still allowing those applications to use the network.
Opensnitch has worked well for me. Regex rules can be kinda finicky though.
coulda had that transposed oops
makes sense, thank you.
brave has officially denied that happens so that is interesting. now how many times a day they call internal IPs would be interesting.
I agree with this, I would too.
It looks like it was every 15 minutes until I blocked it and then it worked its way up to every 5 minutes.
So, under normal usage, my guess would be every 15 minutes.
To be clear, I am not saying the traffic is malicious. It is probably mundane. However, the fact that I can’t disable it normally is concerning to me.
I have brave installed but I haven’t yet looked at it with the eyes of OpenSnitch that much since I don’t use it that much either.
I had a quick look just now. It made a lot of connections, among others to go-updater.brave.com.
I blocked the connection. Then it failed to update the blocklists you can add to its ad/content blocker. So that’s at least one of the things connecting to that destination does.
This can also do firewall on app level from what I gather.
Perhaps for example, one installs an application on their desktop that’ll help manage system wide scheduled tasks. Cron can be pretty tricky, so the user was looking for an easy way to manage it. It’s a more obscure app, so not a lot of comments and such, but it seems to do the job. When launching, it requested privileges, but that’s perhaps expected because of what it needs to be able to control.
What if that application smuggled in with it, hidden crypto mining scripts, that are now on your system chewing up system resources to mine crypto you’ll never see? Or now your system has NAT traversing back-door that will permit hacker groups to use your computer as a launching point for attacks? There’s lots more ways this could play out, but the idea is, something was installed and you can’t be confident of its intentions.
Now whether it’s overtly malicious like those two examples, or dubiously questionable, like telemetry in a browser, the take home point is we can’t be confident of the intentions.
Does a calculator, local password store or image editor need Internet access? In most cases, probably not. Yet without an application firewall, they all have Internet access.
This is what I found out so far about this specific connection:
Connecting to go-updater.brave.com is related to updating components within the Brave browser. This server is part of Brave’s component update system, which allows the browser to receive asynchronous updates to core functionality without requiring a full browser update.
Here’s what this connection is used for:
- Component Updates: Brave uses component extensions to update features like Ad Block, HTTPS Everywhere, Tracking Protection, Tor Client Updater, and Widevine Content Decryption Module, among others
- . These components are updated via the go-updater.brave.com server.
- Update Process: On startup, Brave checks this server for updates to its registered components. If updates are available, they are downloaded and installed. This process helps keep Brave’s functionality current without needing to update the entire browser
- .
- Frequency of Updates: Brave checks for component updates every 5 hours, with some components like NTP Sponsored Images being checked more frequently (every 15 minutes)
.
I like OpenSnitch. It gets the job done.
Now back to investigating Brave but I won’t post about it since it will be off topic.
when I did use brave I did not use those things and this is their policy, I do remember that. thank you for that