Portmaster 1.0 released: open source application firewall
The developers of the open source application firewall Portmaster have released version 1.0 of the program recently. The version introduces support for new features and improvements across the board.
I reviewed Portmaster Alpha back in May when it was released initially. Back then it was released mainly for testing and feedback purposes. The initial version displays network connectivity information about each application and service running on the machine that Portmaster ran on.
You could allow or block connections for each application and service individually, configure outbound rules, and make use of system-wide filter lists to block advertisement, trackers and malware.
Portmaster 1.0
Portmaster 1.0 extends the functionality significantly. The free version of the program has gotten more powerful, but there are also paid versions available that extend the functionality.
Free users may download and install Portmaster, and use it without an account. The application displays a short onboarding prompt on start, which configures main features, including use of secure DNS and blocking lists.
The interface has not changed all that much on first glance. The app divides the interface into three main panes. The first sidebar pane displays program features, the second the list of programs and services identified on the system, and the third details about your selection.
If you select a program from the list, you get detailed networking information. You see the list of allowed and blocked connections, and information on each individual connection. Individual connections may be blocked and the default global parameters changed and customized for this specific application.
There is a lot to explore here, but all of that is optional. Still, you could dive in and block certain traffic for that app. Don't want it to connect to a specific domain? You can make that change effortlessly.
Tech-savvy users find advanced options everywhere in the application. For application's alone, you may switch to blocking all connections by default and allowing select ones only, blocking LAN traffic, or configuring detailed inbound or outbound rules.
A big new feature in Portmaster 1.0 is what the developer calls Side-Dash. It enables you to "easily jump between apps to investigate their connections or quickly jump to their settings".
The free version of Portmaster is a powerful application firewall. Paid plans are available, which extend the functionality and finance development of the open source application.
A core feature is SPN, which stands for Safing Private Network. It is only available in the Unlimited package and allows users to assign one or multiple identities for applications.
You may use it to assign IP addresses to individual apps. Assign a French identity to Netflix, a Canadian to Spotify, and a United States identity to your browser using the feature. It is great for unblocking geographical restrictions or enabling access to content that is limited to certain regions.
According to Portmaster's developer, SPN traffic "goes through multiple servers and is encrypted in layers"; this is similar to how Tor works, as no server has access to the device's IP address and the destination.
Closing Words
Portmaster is an excellent application firewall for Windows. The free version works well and is very powerful already; users who want to support development and/or use the advanced features that come with the paid plans get access to additional features, including SPN, which gives them more control over the IP addresses of their applications.
Now You: do you use an application firewall?
Sadly, I discovered this application to be quite bloated. I wish developers would reverse this sloppiness. We require more programs like SimpleWall. Lightweight, portable, and independent of any overly complex frameworks.
I just tried this and think it’s not for me. I prefer smaller, lighter apps that are specialized. I’m not so attracted to one app that tries to do everything and then some.
Shame. Doesn’t appear to support readable themes. Y’know, for people who can’t see things on dark themes. Useless.
Would like to know how to integrate this with my Pi-hole server and have it as a network wide firewall.
Maybe this helps: https://github.com/safing/portmaster/issues/707
I’d like to know this as well.
Thank You So Much MR. Brinkmann for bringing back more ‘privacy & security’ posts.
I’ve learned a lot over the years from You and Your Compadres.
I took the time to look into Portmaster and for now I’ll stick with a de-googled = no goggle database “NetlimiterPro-V-4.0.59.0”
The NetLimiterPro is payed for and works well as a 2nd firewall, completely blocking anything one wants to.
I’ve utilized your posts on ‘Blackbird for windows’ – ‘Windows Firewall Control’ – FF51 firefox-privacy-and-security-settings – Quant9 – Ublockorigin and Your many useful writings and topics.
Once again > Thank You and Your Friends for All the useful ‘intel’
Signed 11r20 From Saint Jo, Texas
Thank You So Much MR. Brinkmann for bringing
back more ‘privacy & security’ posts.
I’ve learned a lot over the years from You and Your Compadres.
I took the time to look into Portmaster and for now I’ll stick with a de-googled = no goggle database “NetlimiterPro-V-4.0.59.0”
The NetLimiterPro is payed for and works well
as 2nd firewall, completely blocking anything
one wants to.
I’ve utilized your posts on ‘Blackbird for windows’ – ‘Windows Firewall Control’ – FF51 firefox-privacy-and-security-settings – Quant9 – Ublockorigin and Your many useful writings and topics.
Once again > Thank You and Your Friends for all the useful ‘intel’
Signed 11r20 From Saint Jo, Texas
Simplewall takes less than 2MB on my disk, it better be extremely good/better to justify the 500+MB: https://i.imgur.com/NBrPynK.png
How does this compare to Comodo, which I have been using for years?
Comodo firewall hasn’t had a major update in over 18 months now. When I posted a query asking for a delivery date, all I got in response was “We’re working on it”.
I’m beginning to wonder if Comodo is capable of continuing to update and offer their internet suite.
Is this 1.0 release ready for “prime time”?
> Paid plans are available, which extend the functionality and finance development of the open source application.
PAID plans. LOL! Oh the days of using Windows and crippled “free” versions leading you to $ PAY $ for something.
Screw that.
I have firewall (netgear FVS336G) bridged to modem and firewall everything there.
OK, I did not see a link in this article so far, but the earlier link had one:
https://safing.io/
I am using, actually, COMODO Firewall. I like it because it has a decent outbound popup. I think users have become lazy compared to the past and don’t use outbound popups like they used to. Windows Firewall use encourages this laziness. Yes, I know there are pretty good front ends for the Windows Firewall. I don’t like giving that much trust to one company, though (MS in this case).
More and more software wants to phone home without you being in control, even “good” software like Brave and Macrium Reflect.
Does anyone know if Portmaster supports outbound popups? I don’t see it specifically mentioned. I like that it is open source. Obviously, some users would want to be able to turn it off.
Also, how “heavy” is it on the system? Thanks!
> Does anyone know if Portmaster supports outbound popups?
There are two options: “Prompt Desktop Notifications” and “Desktop Notifications”. They both seem to do the same thing based on the tooltip. These options are enabled by default but I haven’t seen anything coming up yet even after a few hours of use.
> Also, how “heavy” is it on the system? Thanks!
The UI is unfortunately built with Electron (but there seem to be plans to change this in the future) so it’s a little heavy. However is usually something you set and forget as it runs on the background, so in practice it really isn’t noticeable.
Currently it leads the process list sorted by memory consumption.
“`
ps -o %mem,command xa | sort -r | awk ‘{print $1, $2}’
%MEM COMMAND
2.9 /opt/safing/portmaster/updates/linux_amd64/core/portmaster-core_v1-0-0
2.2 /usr/lib/firefox/firefox-bin
2.2 librewolf
2.1 firefox
2.0 /usr/bin/gnome-shell
2.0 io.elementary.appcenter
1.8 /opt/brave.com/brave/brave
1.4 /opt/vivaldi/vivaldi-bin
1.3 /usr/share/librewolf/librewolf
1.2 /opt/safing/portmaster/updates/linux_amd64/app/portmaster-app_v0-2-5/portmaster-app_v0-2-5
1.2 /home/thebrowser/.steam/debian-installation/ubuntu12_32/steam
“`
Link is in the summary box below the article!
can it block all connection by default like tinywall?
Yes, in prompt mode it will notify you what service or website is attempting to be accessed. It is incredible. It is feature packed once you get used to it.
I wonder if the paid-for add-ons are also open source and open to inspection. Given that this program can run at kernel level it has ultimate ability to do a lot of mischief if it wanted to.
The same issue holds for any programs that allows software to be run under the aegis of the parent’s permissions.
Looks interesting, tho. I’ll compare against my Glasswire installation (not open source.)
I wanted to give this a try to see how it compares to Simplewall but it looks like it’s made in Electron, so it’s a no from me. The good thing is the devs are aware Electron is crap and might ditch it in the future.
Good thing is that supports [at least the v1.0] Windows 7/8.1 albeit without desktop notifications.
did i mention Windows 7 for ever?
Unfortunately, Chrome is dropping windows 7 and 8 support in 2023. That’s gonna affect a hell of a lot of applications. Electron, and Chromium Embedded Framework. That includes Steam, and every other game launchers, other web browsers.
With pc parts being really cheap right now my next machine won’t be windows 7.
I should say applications with “forced updates” that means all game launchers and other web connected apps would be affected . You could run offline apps without updating indefinitely. My win 7 install is basically a snapshot in history because I never update anything except for Firefox which Mozilla has no plans to drop support. F&%^ Google for the thousandth time
I’ve been waiting a long time for this update. Last time I tested it, still in beta, there were some significant issues causing lost of connectivity and random crashes. Hopefully this are all gone by now.
Does it have a feature like Glasswire where it monitors how much data has been downloaded by each app/process?
I’ve been using GlassWire since 2015, currently the Elite release on three Win10 and two Win7 systems.
A pretty GUI is the only similarity Portmaster has with GlassWire. GW has a simple on-off toggle for executables’ block or allow in the firewall, no roll your own rules other than to create profiles, each having their own set of allow/blocks.
GW has Ethernet and Wi-Fi monitoring and security features unique unto itself, some mirroring HIPS and IDS functionality. Go to GW’s home page and read “Features” and “Security.”
Once GW’s trial expires, it operates in free mode which is detailed in Help > FAQ which is described under the third question.
All that said, Portmater is quite impressive.
I forget to mention, GW writes in Windows Defender Firewall an in and out rule for each exe in this format:
{GlassWire.out.app_118642159.profile_1.mode_2}
When in the GW Firewall GUI when one hits the on/off toggle to off, all GW rules can be disabled if deemed necessary.
It doesn’t look like it does, only the number of connections, which you can filter based on many criteria including the program/app, but not the total amount of data transmitted. However, I can see this feature implemented in the future as it’s already monitoring the network traffic anyway.
Is it an interface to Windows Firewall, or they try to reinvent the wheel?
No, it’s much more powerful and feature-rich than that:
> “Portmaster on the other hand uses the Windows Filtering Platform (WFP) in kernel-space mode. This means that it has its own kernel extension with custom logic. This kernel extension sees every network packet that goes in or out of the device. The Portmaster can analyze the packet data to extract information from it, such as domain names and encryption settings of HTTPS connections. As a result it can make a lot of smart decisions.
In order to give you an overview of what is happening on your device, the Portmaster directly feeds the raw network data into its Network monitor, showing you what your network has been up to within the last 10 minutes.”
Source: https://safing.io/blog/2022/04/11/portmaster-vs-simplewall/