Raphty:
Hey, super important conversation you are having here!
I think you both have points and are talking somewhat next to each other.
What @Average_Joe was asking is about an app doing malicious things, not the OS. I agree with @HauntSanctuary that any application including Portmaster (which uses the kernel but still runs in the OS) is limited in what the OS could do. In our case MS would have to make changes in the Kernel to bypass Portmaster, but because they are in control of the Kernel, we can’t stop them if they do. So what Haunt is saying is true, but what is missing in his explanation is 1. @Average_Joe 's needs - he is looking to restrict an specific app, which is super hard to do on the network level because you have lost the Information what app is doing the connection. and 2. blocking doh is also useless, when the malicious app is using a p2p connection, and or just uses a not labeled bad domain in your pihole… and because you don’t know what app the request is coming from in pi-hole you cant investigate properly.
I hope this helped.
again, both are right, but you need to look at the needs, if someone does not want to switch os then arguing that you cant trust the os does not help. But it helps to keep in mind, that the OS vendor is providing the framework any application is running in, and any app running in this framework can potentially be bypassed by the OS itself. And netwrok firewalls are nice, but they are super limited in what they can do, and PiHole is basically dependent on devices and apps sending it the requests, so a PiHole on its own would be 100% useless in case of a even a mild malicious actor (any app with its own dns) - any PC with Portmaster installed is hidden from PiHole because Portmaster does the DNS resolving.
I appreciate your reply!
I think you’ve been the only person to understand what I’m trying to say in regard to using a dedicated Linux firewall distribution that’ll protect a user’s home network, but this falls apart when there’s an App on a Windows PC that’s transmitting data about the user back to the malicious author on the Internet. It could be something as benign as an app for reading PDF files that brings the user’s security crashing down despite having a dedicated Linux firewall distribution.