portmaster
portmaster copied to clipboard
safing
Replace "Force Block" settings with toggleable default rules (with some augmentation)
What would you like to add or change?:
I suggest to completely get rid of the "Force Block" settings under "Network Scope" and "Connection Types". As a replacement I basically suggest to add default rules to the corresponding "Outgoing Rules" and "Incoming Rules" sections, that can be toggled on or off, but not deleted. They should be sticky at the top of the rules list, thus overrule all custom ones.
These default rules would have to be visually augmented to provide all the information from their corresponding "Force Block" settings, like a speaking description the tooltip info button.
Potentially allow to move - by disabling and cloning - a default rule to a different position (or make them available via Quick Settings, see https://github.com/safing/portmaster/issues/1280), to allow for advanced use cases (like e.g. https://github.com/safing/portmaster/issues/926).
Why do you and others need this?:
I think this change could...
- greatly simplify understanding the precedence of rules, and actually being self-explanatory due to applying normal rule precedence (compare the various explanations in the tooltips about "Force Block"s being stronger than rules).
- give a better overview over the effective ruleset, having it in a single place, and avoiding a lot of scrolling through different setting sections ("Network Scope", "Connection Types", "Rules").
- avoid some mental efforts for firewall-experienced users (even after using Portmaster for some time I still need to think twice about what "Force Block" I toggle and what I write into the rules).
- retain your original design idea of the toggling of certain rules.
- maybe even simplify internal rule evaluation by not having to evaluate any specific toggles (not familiar with your technical basis though).
If you are not aversed to considering this, I might try to specify this further and create some mockups, how this could roughly look like.
we had that idea in the past, and some of the reasons we did not chose to go that rout included:
- being able to force block and then change rules and then "activate" rules (I just realized that this could be done with the default network action as well or by having block * on top....)
- the trickier thing we did not want to tackle back then was: making sure Portmaster knows if this is a user changed setting or not. This is important because of the global settings, and if you change them, all app settings should change with it, except if they have been changed by the user. so having it empty makes this easy.
I agree that we can do a lot better here, I am not sure if we want to tackle this at the moment.
thanks for the suggestion!
@dhaavi I think this suggestion is a good idea (that comes up again) and we should at some point consider how we can make this change, as @c-s-n says this makes the settings over all more intuitive, and easier to learn. not everyone will read the i text.
You would treat these default rules in a special way, which goes in line with my suggestion to make them toggleable, contrary to normal rules. And this toggling could have the exact same three-state as the "Force Block" settings have now (unconfigured, enabled, disabled).
The overall behavior would be similar to the current "Force Block" toggles, but imho much better integrated.
Also do I think that migration for existing configurations should be easily doable, since all of the "Force Block" settings would get a corresponding counterpart rule.
I think I understand better now, and already have an idea... :D thank you a lot!
@dhaavi lets have a quick chat about this suggestion
I have now taken the time to create a mockup for how I think this improvement could look like:
super cool mockup, I guess this will help when I go through this with Daniel and Patrick.
additional questions, you separated them, but since rules need to be in order, would you make them movable? especially the incoming rule with block * fixed on top would create a lot of trouble.
also with the toggle in green and the block in red... that looks confusing, and the rule basically has to be a block on of, because if it would switch between allow and block it would ignore everything bellow. So if you allow internet, then the filter list bellow would not apply to any of the connections from the internet... (in your mockup you did not make that error, but for anyone reading)
An idea could be to have the quick settings above, greyed out and clearly labeled, and you can drag them down? maybe in green quick allow and in red quick block? to further differentiate them?
As initially written, this idea was based on the premise to resemble your existing "Force Block", which overrules everything else. That criteria would be fulfilled by sticky default rules.
To overcome the stickiness when wanting to use the rule with a different precedence/at a different position, I suggested to allow for cloning a default rule into a normal rule (see the copy icon in the mockup). I however agree that reodering instead of cloning would be much more flexible and easier to grasp. So, when ignoring the initial premise, i.e. if you are fine with representing your "Force Block" idea only in the initial state of the rules list, but letting experienced users reorder it as they wish, I think this would make an even better improvement.
To your other point of the rule having to be "Block on/off", I also agree that the green toggle button on a red Block rule can be confusing. Again, I tried to stick to your existing design elements, but would absolutely be in favor of a reworked toggle UX.
Quick Settings I would still see as separate to default rules, just as a simplification to "+ Add Rule".