/bugtracker

Consider bundling NetGuard instead of Privacy-Friendly Net Monitor? #598

Closed
securesearch opened this Issue Feb 21, 2017 · 2 comments

Comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@securesearch @thestinger
@securesearch

securesearch commented Feb 21, 2017

I noticed you bundled SECUSO (Darmstadt)'s Privacy-Friendly Net Monitor in a recent release, which is great. Have you checked out Marcel Bokhorst's NetGuard? https://github.com/M66B/NetGuard

It is a pretty comprehensive application layer firewall (incl system applications) using the VPN API.

Supports blocking ICMP, TCP, UDP on IPv4/v6.
Separate DNS and allowed/blocked logs
Custom Hosts File which also blocks DNS requests (firewall itself does leak DNS requests)

He doesn't support the F-Droid builds since they don't support reproducible builds, which sadly means they are usually very out of date, but he does release the application bundles on Github regularly.

Documentation suggests NetGuard includes Google ads, but having used the Github releases for a while, and not seen any ads or unknown network requests from the phone during packet captures, I can only assume the ads are only in the Play Store releases.
@thestinger

This comment has been minimized.

Show comment Hide comment
@thestinger

thestinger Feb 21, 2017

Contributor

Net Monitor is bundled because it now needs a special SELinux domain in order to access /proc/net. NetGuard is not a replacement for it, and NetGuard is not the right way to approach implementing firewall features in CopperheadOS. It's a hack depending on the VPN service conflicting with other real VPN services which doesn't make sense in CopperheadOS where it can be properly implemented with integration into the OS.
Contributor

thestinger commented Feb 21, 2017

Net Monitor is bundled because it now needs a special SELinux domain in order to access /proc/net. NetGuard is not a replacement for it, and NetGuard is not the right way to approach implementing firewall features in CopperheadOS. It's a hack depending on the VPN service conflicting with other real VPN services which doesn't make sense in CopperheadOS where it can be properly implemented with integration into the OS.

@thestinger thestinger closed this Feb 21, 2017

@thestinger

This comment has been minimized.

Show comment Hide comment
@thestinger

thestinger Feb 21, 2017

Contributor

If people want to work on implementing proper firewall configuration support, that's welcome. CopperheadOS isn't the place for hacks and workarounds with major security and usability limitations though.
Contributor

thestinger commented Feb 21, 2017

If people want to work on implementing proper firewall configuration support, that's welcome. CopperheadOS isn't the place for hacks and workarounds with major security and usability limitations though.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment