Portmaster is a free, open-source application firewall from Safing that monitors every network connection made on your computer and lets you block or allow them per application. Unlike the built-in Windows Firewall (which is mainly outbound-permissive) or UFW on Linux (which is port-based), Portmaster shows you exactly which application is making a connection, where it’s going, and gives you granular control over each one. It also integrates DNS filtering similar to Pi-hole, blocking trackers and ads system-wide.
Why Use an Application Firewall?
Most users assume that if they haven’t installed anything suspicious, their computer only contacts “safe” services. In reality, even legitimate software often makes connections you’d prefer to block:
- Telemetry — Windows, Office, Adobe, and many apps phone home with usage data
- Ads and trackers — game launchers, media players, and utilities often embed ad networks
- Unnecessary cloud features — apps syncing data you didn’t ask to sync
- Background update checks — apps constantly polling servers even when idle
Portmaster lets you see and control all of this.
Installing Portmaster
Windows
Download the installer from https://safing.io/portmaster/. Run the installer — it installs a kernel-level network driver and a background service.
After installation, Portmaster starts automatically and its icon appears in the system tray.
Note: Portmaster operates at the kernel level on Windows. On first launch it may ask to configure your DNS settings — allow this.
Linux (Debian/Ubuntu)
# Download the latest .deb package
wget https://updates.safing.io/latest/linux_amd64/packages/portmaster-installer.deb
# Install
sudo dpkg -i portmaster-installer.deb
sudo apt-get install -fOr via their APT repository:
curl -fsSL https://updates.safing.io/latest/linux_amd64/packages/SIGN.key | sudo gpg --dearmor -o /usr/share/keyrings/safing-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/safing-archive-keyring.gpg] https://updates.safing.io/linux/apt stable main" | sudo tee /etc/apt/sources.list.d/safing.list
sudo apt update && sudo apt install portmasterEnable and start the service:
sudo systemctl enable portmaster
sudo systemctl start portmasterAccess the UI via the desktop app or browser at http://127.0.0.1:817.
Understanding the Interface
The Portmaster dashboard shows:
- Monitor — live feed of all connections across all apps with allow/block status
- App Settings — per-application rules and connection history
- Global Settings — system-wide DNS and firewall rules
- Privacy Filter — built-in block lists for trackers, malware, and ads
The Connection Monitor
The Monitor view is Portmaster’s most powerful feature. Each row shows:
- Application name (with icon)
- Connection direction (outbound/inbound)
- Destination IP or domain
- Status (allowed/blocked)
- Why it was allowed/blocked (which rule triggered)
Click any connection for full details including port numbers, protocol, geolocation, and WHOIS information.
Configuring DNS-over-TLS
Portmaster intercepts and handles your DNS queries through its own resolver, supporting:
- DNS-over-TLS (DoT)
- DNS-over-HTTPS (DoH)
- Plain DNS (if you prefer)
Go to Settings → DNS → Select your preferred resolver. Built-in options include:
- Cloudflare (1.1.1.1) — DoT/DoH
- Quad9 — DoT/DoH with malware blocking
- Mullvad DNS — privacy-focused, no logging
You can also add custom resolvers.
Setting Up Privacy Filters (Block Lists)
Under Privacy Filter, enable the categories you want blocked system-wide:
| Filter | What It Blocks |
|---|---|
| Ads | Ad networks and advertising domains |
| Trackers | Analytics and user tracking domains |
| Malware | Known malware C2 domains |
| NSFW | Adult content (optional) |
These work similarly to Pi-hole — DNS queries for blocked domains return NXDOMAIN, preventing connections. Portmaster includes curated block lists and updates them automatically.
Per-Application Rules
The most powerful feature is setting rules per application. Click any app in the app list:
App-Level Settings
- Default Action: Allow all / Block all / Use global settings
- Block Internet Access: Completely cut off an app from all network access
- Block Incoming Connections: Prevent other devices from connecting to this app
- Force DNS via Portmaster: Ensure the app uses Portmaster’s DNS (prevents DNS leaks from apps using hardcoded servers)
Creating Per-App Rules
Click an app → Rules → Add Rule:
- Block a specific domain:
*.telemetry.example.com → Block - Block a subnet:
10.0.0.0/8 → Block - Allow only specific IPs:
142.250.0.0/15 → Allow(e.g., only Google’s ranges)
Example: Blocking Windows Telemetry
In the app list, find svchost.exe and look at its connections. You’ll likely see connections to Microsoft’s telemetry domains (vortex.data.microsoft.com, telemetry.microsoft.com, etc.). Add block rules for these domains specifically rather than blocking all of svchost (which would break Windows Update and other legitimate functions).
Global Rules
Settings → Rules → Global Rules lets you block connections that apply across all applications:
- Block all outbound connections to known ad networks globally
- Block specific countries (geo-based blocking)
- Force all DNS through Portmaster’s resolver
Safe Mode and Prompt Mode
- Prompt Mode: Portmaster asks you what to do for each new connection — like Little Snitch on macOS. Excellent for building granular rules but requires interactive attention
- Safe Mode: Applies built-in privacy filters automatically with minimal prompting — a good default for most users
- Auto Pilot: Fully automated; allows most connections and blocks obvious threats
Start with Safe Mode for a balance of privacy and usability.
Portmaster vs. Alternatives
| Tool | Platform | Approach | Cost |
|---|---|---|---|
| Portmaster | Win/Linux | App-level + DNS | Free (SPN paid add-on) |
| Little Snitch | macOS | App-level | $99 one-time |
| OpenSnitch | Linux | App-level | Free |
| Pi-hole | Network-level | DNS only | Free (needs hardware) |
| Windows Firewall | Windows | Port/IP rules | Free |
Portmaster is unique in combining per-app firewall rules with DNS filtering in a single free tool. The optional SPN (Safing Private Network) add-on (~€9.90/month) routes traffic through Safing’s network for additional anonymity, similar to a VPN.
For anyone serious about understanding what their computer does on the network, Portmaster is one of the most illuminating tools you can install.