Safing Portmaster - A Comprehensive Privacy Focused and Security Firewall

· 9 min read
Safing Portmaster - A Comprehensive Privacy Focused and Security Firewall

Safing Portmaster is an open-source network firewall and monitoring application that aims to provide users with privacy, security and control over their online activity. Portmaster was created as a simple yet powerful tool to help users take back control of their network traffic. It achieves this through network visibility, auto-blocking of threats, privacy-focused controls and customization options.

The Need for Portmaster

Users face an almost constant barrage of privacy and security threats from companies collecting their data, hackers exploiting vulnerabilities, and governments conducting mass surveillance. Many people are understandably concerned about protecting themselves but find existing security tools complex to set up and maintain.

Safing Portmaster aims to address this issue by providing an easy to use firewall that protects users out of the box with intelligent defaults while still giving power users full control. Its goal is to bring security, privacy and awareness to everyday users without overcomplicating things.

At its core, Portmaster takes a host-based approach which means it monitors and controls network activity directly on the device it is installed rather than remotely like a VPN. This gives it deep insight into applications and processes making connections as well as granular control capabilities.

Some key problems Portmaster solves include:

  • Lack of visibility - Most users have no idea what data their devices are sending online making them vulnerable. Portmaster provides a simple interface to monitor all network activity.
  • Difficult configuration - Security tools often require advanced technical knowledge that average users lack. Portmaster is designed to be easy to set up and understandable for all.
  • Inability to block trackers/ads - Even privacy-focused browsers cannot block third-party content. Portmaster automatically filters this system-wide with curated blocklists.
  • Unsecured DNS queries - Default DNS resolution leaves lookups vulnerable to snooping. Portmaster routes lookups through encrypted providers like Cloudflare.
  • No application isolation - Apps have access to entire system. Portmaster allows restricting internet/LAN access per program.
  • Need for custom rules - Every system has different needs. Portmaster empowers users to allow/block exactly what they want.

Let's explore its key features and configuration tools in more detail.

Network Activity Monitoring

One of Portmaster's most useful features is its network activity monitoring which provides visibility into everything happening on the device. Once Portmaster is installed, it runs in the background and monitors all connections established by applications.

The main 'Network Activity' screen aggregates this data and presents useful insights. It shows total and recent connections made by processes along with graphs of connection trends over time. Drilling into any process allows viewing full details on each connection like the domain, IP address, protocol, direction, encryption status etc.

This level of transparency helps users understand what information their devices are sending online and detect suspicious behavior. It also equips them to make informed decisions on what programs can access the internet/LAN.

Furthermore, Portmaster simplifies more technical network concepts. Unknown domains are linked to IP geolocation databases to detect their country. ASN (Autonomous System Number) information provides visibility into who owns each IP.

Connection data can also be filtered by domains, countries, IPs and other attributes for more targeted analysis. The wealth of context Portmaster provides outshines most stock firewall UIs, empowering both beginners and professionals alike.

Automatic Ad/Tracker blocking

One of the best things about Portmaster is its automatic blocking capabilities for ads and other privacy-invasive content. By default, it uses curated filter lists - specifically EasyList, EasyPrivacy and Malware domains - to block common trackers, ads, crypto-miners and malware hosts system-wide.

This provides a clean baseline level of protection for users without any configurations required. Since these lists are also used in popular browsers and plugins like uBlock Origin, the blocks are regularly updated to stay effective.

The auto-blocking occurs transparently in the background so programs requesting blocked resources simply fail to load the malicious payloads without users needing awareness. Portmaster excels at this set-it-and-forget-it level of privacy that impacts virtually all programs equally.

These default blocklists can of course be customized too. Users can select alternate lists, enable/disable categories or blacklist individual items. But Portmaster understands casual users don't want complex blocking rules, providing a seamless ad-free experience by default.

Encrypted DNS via Privacy Tools

A core privacy technique used by Portmaster is its routing of all DNS lookups through encrypted resolvers. By default, it forwards DNS queries to providers like Cloudflare and Quad9 that encrypt the requests for enhanced anonymity and security.

This binding of Portmaster to system DNS effectively replaces the resolver, ensuring lookups are only exposed to the selected privacy-focused service instead of default resolvers. It comprehensively protects the device's DNS activity, a frequent source of privacy leaks. It should be noted that you cannot use Portmaster, with custom DNS options such as NextDNS together since they both work by replacing the system DNS resolver.

If desired, users can select alternate DNS services like DNS over HTTPS providers or set custom resolvers such as NextDNS. But the encrypted defaults ensure queries are private with minimal configuration burden again. Combined with the ad-blocking, this automatic private DNS is a powerful "set and forget" feature.

Per-Application Firewall Controls

While the defaults provide a solid baseline, Portmaster truly shines when delving into its powerful per-application rules and configurations. The main interface allows filtering connections by process, similar to Windows' task manager, to isolate each application's behavior.

From here, granular controls are available like selectively blocking internet or LAN access, preventing incoming/outgoing connections, customizing filter lists and more on a per-app basis through an easy to understand UI. Power users can thus create tailored policies for every program.

Common uses include blocking browsers or torrent programs from communicating on LAN to isolate them. Or restricting large uploaders from internet access. Users can even selectively apply or exempt certain categories like ads or trackers on a program-by-program level.

This degree of isolation and control drastically improves privacy and security by constraining each app's potential impact, undoing the "all apps have full access" model of general systems. Even advanced users appreciate not having to manually configure complicated firewall rules themselves.

Custom Rules and Scripting

Of course, for the most powerful functionality, Portmaster offers a fullRULES section to define custom firewall policies. Here, rules use a JSON format to allow/block specific countries, IP ranges, FQDNs, ports and more through rule priorities, conditions and actions.

While a power-user feature, Portmaster helps simplify authoring by automatically generating rule templates based on connection logs. It's also possible to run Lua scripts that extend rule processing, enabling experts to integrate complex logic.

Despite the strong defaults and per-app options, Portmaster understands every user has unique requirements. The custom rules ensure it can emulate the full capabilities of other firewalls while removing complexity barriers for mainstream adoption. Nothing is out of reach for those who wish to dive deeper into configurations.

Privacy Network Subscription

For even stronger anonymity, Portmaster offers an optional paid "Privacy Network" or SPN (Safing Privacy Network) subscription. When enabled, all traffic is routed through Safing's global onion routing infrastructure for additional protection.

This works similarly to a VPN or Tor by randomizing routes and encrypting traffic, but Portmaster is able to bridge unencrypted connections from applications with onion streams seamlessly. As a result, SPN provides enhanced privacy without needing to set up a separate client.

The infrastructure uses a decentralized design spread across peered servers owned by different operators. So unlike centralized VPNs, no single entity can monitor user activity end-to-end. It provides a simple solution to gain further anonymity layered on top of Portmaster's existing controls.

Installation of Portmaster and Operating Systems

Portmaster is available as a free download for both Linux and Windows systems from the official Safing website. Installation is incredibly simple - just run the installer package and Portmaster runs its setup routine to start monitoring networks.

For Linux specifically, .deb and .rpm packages are provided for most major distributions so it can be easily installed via their native package managers. The app remains up-to-date through these repositories too.

Once installed, Portmaster runs silently in the system tray on Windows or notification area on Linux. It does not require manual launching and simply binds to Port 53 to redirect DNS queries. Users can access interface at any time from the system tray icon.

Under the hood, Portmaster leverages various operating system integrations. On Windows it uses WinDivert, on Linux it utilizes Netfilter Queue. But as an end-user, installation is plug-and-play via tried-and-tested packaging formats for convenience.

Usability and Documentation

Community Wiki

Usability is a key priority for Portmaster given its goal of bringing privacy to mainstream consumers. The interface strives to present an uncluttered, minimalist view with large readable fonts and intuitive navigation.

Concepts are explained in plain language to avoid intimidating less technical users. Simple visualizations like connection graphs enhance understanding. Everything "just works" out of the box with Portmaster handling complex tasks behind the scenes.

At the same time, versatile filtering and searching options accommodate power users looking for deeper analytics. The flexibility to switch between basic and advanced modes ensures the interface grows with users over time without overwhelming beginners.

Extensive in-app help and contextual explanations are also available at every step. But for those desiring even more knowledge, Portmaster provides thorough documentation on all major considerations.

The Safing website hosts detailed wikis, manuals and whitepapers delving into topics like:

  • Installation guides for each supported platform
  • Explanations of networking, firewall and privacy concepts
  • Step-by-step tutorials for common usage scenarios
  • Sections on configuration folders, system services etc
  • Comparison articles between Portmaster and rivals
  • Architecture overviews and technical specs

Videos, podcasts and a helpful Discord community complement the written documentation for different learning styles. Nothing is left uncovered, empowering both casual fans and the most inquisitive security enthusiasts.

Open Source Foundation

Being open source is a key tenet for Portmaster - it allows full transparency into the application's function without technical barriers. Safing openly shares development resources to invite improvements and collaboration from the wider infosec community.

This includes publishing the app's full codebase on GitHub alongside design docs, roadmaps and more. Regular releases offer ongoing transparency into development activity and intentions. The community is encouraged to inspect, comment, request and even contribute changes through optimized workflow pipelines.

Such transparency is crucial for critical systems handling sensitive data and network activity. With Portmaster, users can verify functionality for themselves without needing to trust opaque vendors - the exact code running is always inspectable. Other services pitching "security" lack this auditability.

On top of the technical advantages, open development fosters a cooperative spirit within the privacy community. By inviting participation rather than gatekeeping knowledge, Portmaster ensures it grows into the best tool possible through wider exposure to talent and ideas. Overall it is an model approach for developing user-focused security tools.

Areas for Improvement

While Portmaster is an incredibly useful firewall already, there are still enhancements that could take it to the next level:

  • Mobile Apps - Currently only available on desktop. Native mobile versions would allow filtering the always-online smartphones and tablets many rely on daily.
  • More Automation - Continue expanding automatic rulesets to cover common use cases out of the box without additional configuration.
  • Website Integrations - Integrate protective capabilities directly into browsers via extensions to filter requests beyond the network layer.
  • Easier Sharing - Simplify exporting/importing customizable rulesets to easily apply optimized configurations across multiple devices.
  • Additional Protocols - Expand filtering capabilities beyond standard TCP/IP to cover emerging technologies like QUIC and WebRTC.
  • Hardened security - Constantly improve the underlying defenses, harden app code and strengthen the privacy of any telemetry to withstand determined adversaries.


Safing Portmaster represents an important step towards bringing true network visibility, control and privacy to mainstream users. Built upon open foundations with help from independent experts, its capabilities are fully transparent and continue expanding. Whether wishing to securely explore the internet or gain technical mastery, Portmaster has flexible options to suit all skill levels through its intelligent defaults and customizations.

For any home or workstations seeking an all-in-one privacy or security solution, Portmaster is undoubtedly a top recommendation. Its blend of automatic protections, deep controls and open philosophy make for an essential desktop companion in today's digital landscape. With continuous development, its impact will only continue growing in the years ahead.

## Convertkit Newsletter