The Portmaster: application firewall for Windows and Linux users

Here I present Safing Portmaster:

There are precompiled binaries for Windows, Fedora and Ubuntu.

“The Portmaster” is a (partly) open source application firewall which allows per-app control and monitoring of in/outbound connections. The Portmaster also integrates hostname blocking (with blocklists similar to uBlock Origin), and provides a GUI to configure a custom DNS servers (supporting DNS over TLS).

I find the free version of this application to be very usable once you get the hang of configuration. It’s also very useful on Windows machines for blocking telemetry, if you’re too lazy to go the group policy route.



Which part of it is not open source?
It describes itself as:

Portmaster is a free and open-source application firewall […]

I tried to search the homepage provided by you, but couldn’t find any information regarding non open source parts…

While I do see a use case for it under Windows as a quick setup jack-of-various-trades solution for users who seek a privacy-friendly solution without the need of a thorough initial configuration and are willing to pay for that service, I can’t imagine any use for this under linux, due to the lack of “uncontrollably phoning home” applications who would require an application-based approach.
The open source nature of linux applications leads to them being replaced by alternatives providing the same or similar functionality without such unwanted behaviour, by a fork if need be, or omitted completely in case of lacking alternatives which meet those requirements.

It’s not a matter of lazyness. Most Windows 10 Editions (except Education and Enterprise) simply don’t allow you to switch off telemetry completely, even with group policies. And even if you are lazy, there are scripts available you can download and execute to automate that process to the level your edition allows. To prevent the remaining amount of telemetry to be leaked to microsoft, those scripts edit your hosts file to block microsoft-servers at the dns level.

I personally use the provided kernel based firewall for Linux, and Tinywall for Windows. Both are (completely) open source, resource friendly and the latter is secure by default, providing an easy process of configuration, which might only be bit tedious right after install until you configured the rules for your mostly used programs.


Awesome that you posted this. I just switched today to Portmaster from Simplewall. The odds of us both running into on the same day. Small world.

Anyway, SImplewall is a good solution as well, BUT I do like how Portmaster is a kernel extension, which gives it to everything and far more information. It does have some funky behavior with WSL though, but there are solutions for it.

I find that just manually adding a nameserver is the best way to handle it though.

Anyway, I am really happy with it so far. I would recommend that if you can afford it that you buy a subscription. The more popular things like this are perhaps the more Microsoft will get the hint that exploiting your paying customers is just not cool or the way to run a business.

Exactly. I believe they are fully open source.

1 Like

Firefox does some telemetry, even on Linux. There may be a way to prevent this completely in about:config but I have not seen it. There is also things such as VSCode (don’t laugh!) on Linux (VSCodium as an alternative of course)

The better use case is for Windows, although it is an interesting toy under Linux. Of course one could get the same diagnostic info with netstat or similar.

While the things you say in your post are true in a practical sense - you are describing the reality of “phoning home” and other malicious software practices on Linux, open source is not a panacea. Just because someone makes source code available does not mean that it is secure or safe to run. Therefore I do not subscribe to the ideology that Linux or any other system is safe by default.

Anyway, this is not necessarily a “serious” security application, but I think it is interesting especially for technically minded users or hobbyists.

On Linux I would probably just use OpenSnitch. If you can control application access you pretty much control your privacy.

I was impressed that they have Portmaster on Linux as well. I wonder how much is different under the hood as the network stacks between the two OSes are pretty different.

1 Like

I didn’t look at the source but I have a feeling they are both electron apps for the interface.

If you value your privacy, Firefox is indeed a no-go. The first thing I’d do on a freshly installed linux system is to install the tor-browser using the installer provided by the distro’s package manager, then start it to download and install the currently most privacy-friendly non-tor browser, the Mullvad Browser.

1 Like

Portmaster’s GUI is currently Electron based, but they have said publicly that they are working to move away from it. Simplewalls interface is not electron based, and OpenSnitch’s GUI is python based.

But these are just the front ends. They have nothing to do with the guts of the program working and blocking traffic.

1 Like

Interesting. I had not considered forks of Firefox (is that correct?). I guess I kind of struggle with not supporting FF directly because if they fold and the community does not keep up development of the engine (so that it becomes outdated or otherwise insecure), we will have a Google-opoly of what can or cannot be viewed on the internet.

Seems it uses iptables and nfqueue for Linux.

1 Like

Nothing is 100% safe by default, that includes open source software. Linux is just easier to audit by design, because the tools needed to do so are readily available. And once you spot a privacy breach, open source enables you to pinpoint it and, if you feel qualified to do so, provide a fix for it.

1 Like

Yes, that’s correct. Btw, another throughly investigated privacy-friendly Firefox fork is LibreWolf.
If you need a privacy-friendly Chrome-based browser, there’s just ungoogled Chromium.

So it’s just a GUI and configuration helper for the kernel-based filter. Well, I guess I’ll give it a try in a vm then. But for the Windows-version I dislike the fact, that there is no offline-installer available and TinyWall tends to all my needs, as I do use an AdguardHome container on a raspi for dns security and filtering.

Used to use it as well but development has been discontinued. Serious bummer but such is life.

Thanks for the info. This hasn’t been mentioned on their website, only on their github. But as long as I haven’t heard of any serious security breaches or incompitibilities with Windows 11, I’ll continue to use it, but will keep Portmaster in mind, in case I need to switch.
Nevertheless, as I usually do the initial setup of my windows installations without internet access to prevent any leakage until the firewall and security setup is active, I do require an offline installer though.

One other thing I wanted to comment on here is how Safing handles subscriptions. If you get a subscription they allow you to use it simultaneously across 5 devices. So not only do you get to help support the company, but you are getting those paid features on 5 different machines.

Pretty cool.

1 Like

Beside the SPN for the Pro subscribers, according to their comparison, most paid features haven’t been implemented yet though…

That is true, but all the functionality that Simplewall has is already implemented. The features they have coming up seem like they will be useful. In general the way the software is written there is just a lot of powerful flexibility here.

Wow, thanks for sharing! This is pretty slick looking and very detailed which is great. usually all that info provided by this tool would require several commands and tools, but this is very nicely structured and seems simple to use.

1 Like

Portmaster got tested by a german tech site. Unfortuanetly, the article is behind a paywall:

In our everyday test lasting several weeks, Portmaster performed well, filtered reliably, and only had a few false positives. We only used the free version.

1 Like

I have been using it for the past 2 weeks. I have really customized my instance, but I have to say that I really think Safing has knocked this out of the park and continues to improve things. I switched all to prompt because I like how Portmaster breaks out the actual address that the software is attempting to connect to. This allows you to block some things for a program but allow other things. This kind of granular control is what I love.

You get good graphs and feedback about your traffic.

I really like that the programs engine is integrated into the windows kernel. That gives it access to things that programs in userland will not get.

I particularly like the way it handles DNS. You can add your own if you host Pi-hole, for example, or use their defaults which are also really good. It allows you to stack them also. So it will try your pi-hole first, but then fall back to something else if it can’t access it.

You would be surprised just how many programs are actually reaching out and phoning home. Even ones that don’t need network access at all.

I have Portmaster running on all of my Windows machines.