Safing Portmaster v2 in Fedora VMs

Community Guides
1

Hello.
This guide is for installing Safing Portmaster v2.
Do not upgrade Safing Portmaster v1 to new version - it makes more troubles than one wants.
Safing Portmaster v1 was installed as normal, hand run program and its auto start was controlled by .desktop files. Now it runs as service and cleaning up upgrade is not wort it.
So if someone have Safing Portmaster v1 installed I encourage you to completely uninstall and clean after it.

Now for installing.
Again, there’s no repository to add so we need to download .rpm package.
But first decide template in which you install it. Every appVM based on this template will run portmaster.service automatically.
I’ve installed it in my multipurpose/multimedia template but for the sake of this guide I will assume new template.

  1. Clone default fedora-xfce4 template and name it tmpl-portmaster.
    Easiest way is from GUI at Qube Manager.

portmaster-01-clone
portmaster-01-clone800×406 29 KB

  1. Download .rpm package by disposable qube from Safing site
  1. Move downloaded file to 'tmpl-portmaster`

portmaster-02-move-file-01
portmaster-02-move-file-01957×683 71.2 KB

portmaster-02-move-file-02
portmaster-02-move-file-02411×264 20.7 KB

  1. Install .rpm file in tmpl-portmaster

portmaster-03-install
portmaster-03-install1358×816 95.7 KB

  1. Restart tmpl-portmaster template and you will see notification from portmaster and its icon in system tray - open the app

portmaster-04-tray
portmaster-04-tray527×221 17.3 KB

portmaster-04-tray-02
portmaster-04-tray-02278×296 17.3 KB

  1. After opening portmaster app do Quick Setup - either leave everything default or change for example DNS to something more secure (I’m using Quad9 with Cloudflare as Fallback)

portmaster-05-quickconfig
portmaster-05-quickconfig1211×728 96.3 KB

  1. Close app UI and shutdown tmpl-portmaster

Now you in every appVM you base on tmpl-portmaster, portmaster will start as service in background minimized to tray.
In order to be able to configure it per VM basis you need to make its configuration directory persistent as it’s located in /var/lib/portmaster/ this time.

  1. Open appVM Xfce Terminal from Q menu
  2. Go to /rw/
$ cd /rw
  1. Check if bind-dirs directory is here
$ ll
total 32
drwxr-xr-x.  3 root root  4096 Aug 29  2024 bind-dirs
drwxr-xr-x.  2 root root  4096 Aug 29  2024 config
drwxr-xr-x.  3 root root  4096 Aug 29  2024 home
drwx------.  2 root root 16384 Aug 29  2024 lost+found
drwxr-xr-x. 12 root root  4096 Jun 25  2024 usrlocal
  1. if not, make it
$ sudo mkdir bind-dirs
  1. Go to bind-dirs directory and make var/lib and go inside
$ cd bind-dirs
$ sudo mkdir -p var/lib
$ cd var/lib
  1. Copy /var/lib/portmaster to /rw/bind-dirs/
$ cp -r /var/lib/portmaster/ ./
  1. Check if it copied
$ ll portmaster/
total 28
-rw-------. 1 root root  703 Sep 22 00:40 config.json
drwx------. 5 root root 4096 Sep 22 00:40 databases
drwxr-xr-x. 2 root root 4096 Sep 22 00:40 download_binaries
drwxr-xr-x. 2 root root 4096 Sep 22 00:40 download_intel
drwxr-xr-x. 2 root root 4096 Sep 22 00:40 exec
drwxr-xr-x. 2 root root 4096 Sep 22 00:40 intel
drwx------. 2 root root 4096 Sep 22 00:40 log
  1. Go to /rw/config/ and make sure that qubes-bind-dirs.d is there
$ cd /rw/config
$ sudo mkdir qubes-bind-dirs.d
$ cd qubes-bind-dirs.d
  1. Make/edit 50-user.conf file
sudo nano 50-user.conf
  1. inside file, type
binds+=('/var/lib/portmaster')
  1. Restart appVM

That’s it.
Now you can change settings of portmaster in appVM (or disposable template - same routine)

PS: I don’t have any debian but if it uses systemd then procedure is the same except you download .deb file and install it by sudo apt install file.deb

PS2: when configuring Safing Portmaster don’t enable SPN Module - it’s for paid customer only and in a free version will make you trouble

5 Likes
2

In order to mute persistent notifications from portmaster you need to add Notification app in appVM settings, run it and mute portmaster notifications

portmaster-06-mute
portmaster-06-mute685×628 35.7 KB

4 Likes
3

Awesome guide. I missed this, but not any more.

:clap:
Thank you!

4

Hi, thanks for the guide.

However, I think it would be very wise to warn the community to delete the default DNS servers that Portmaster includes in its configuration from the moment of installation. All the options are free DNS servers and potentially dangerous. In fact, all public DNS servers have been or are currently being hacked with malicious traffic in some way (personal experience). I personally recommend always blocking Cloudflare (1.1.1.1) to avoid any surprises.

Only the firewall function is useful. I think it’s best to use it with blank DNS, unless you have a private and secure DNS service.

5

Quad9 is bad?
So ISP is better?
1.0.0.1 is bad too?

6

I’m using Portmaster v2 quite well with the AppVM. The only difference is that in 50-user.conf file you need to add extra location as below

binds+=( '/var/lib/portmaster/' )
binds+=( '/usr/lib/portmaster/' )

Just wanted to add I tried to create a neywork qube e.g. sys-portmaster but it failed capturing the traffic from other qubes, just the ones originating from within/ I guess I should try routing for iptables but didn’t have time

7

What do you use?

8

No… portmaster can’t be in another qube. It’s like another machine in another room. It don’t work that way. You need it on same machine/qube that you use for networking.

9

Quad9 or any other domain = check the IP address on VirusTotal and look at its detection rate and history.

If you’re okay with that, it’s your choice. My opinion, as I mentioned before, using a compromised DNS is like accessing a compromised website on Windows OS.

10

Back in 2021, when I started using the firewall, I had several incidents. I checked all the DNS options the program had, and they all came out infected in the web virus total detection. The problem escalated to the point that the developers themselves recommended removing the DNS settings and using Portmaster without DNS.

11

Hi Atom, is that configuration to allow program files to persist as if they were in user space?

12

That’s correct, otherwise every restart you will get freshly installed Portmaster

1 Like
13

That’s Portmaster v1. V2 don’t need that.

14

I disagree. Both v1 & v2 needs that. Any storage outside the user dir will not be persistent, and both store rules and DB outside user dir

v1

binds+=('/var/lib/portmaster')

v2

binds+=( '/var/lib/portmaster/' )
binds+=( '/usr/lib/portmaster/' )
15

I’ve installed Portmaster v2 in the template.
Then,opening the Qubes VMs app,opens the main app Portmaster,with full access to reports and logs.
Base on Fedora,i have three VMs opening fine,with each one having the matching qube color in the systemTray.

DNS,can be changed to whatever you like but defualt filtering list(s) works fine.