Portmaster — Privacy-First Application Firewall for Your Desktop

Introduction

Portmaster is a free and open-source application firewall built by Safing that gives you full visibility and control over your device's network activity. It blocks ads, trackers, and malware domains at the DNS level while letting you set per-app network rules.

What Portmaster Does

• Monitors all network connections per application in real time
• Blocks ads, trackers, and malware domains using filter lists
• Enforces secure DNS (DNS-over-TLS) for all queries by default
• Allows per-app rules to permit or deny connections to specific domains or IPs
• Provides a system-wide network activity dashboard via its local UI

Architecture Overview

Portmaster operates as a local network filter at the kernel level using the NFQueue interface on Linux and the Windows Filtering Platform on Windows. All DNS queries are intercepted and resolved through encrypted DNS-over-TLS upstreams. A local REST API powers the Electron-based UI that displays connection logs and settings.

Self-Hosting & Configuration

• Install via .deb package on Debian/Ubuntu or .exe installer on Windows
• Access the dashboard at http://localhost:817 after installation
• Configure global DNS servers and filter lists in the Settings panel
• Set per-app rules by selecting any application from the network monitor
• Portmaster runs as a system service and starts automatically on boot

Key Features

• Application-level firewall with per-process connection visibility
• DNS-over-TLS by default with configurable upstream resolvers
• Integrated filter lists for ads, trackers, and malware domains
• Bandwidth and connection history with detailed logs
• Fully local operation with no cloud account required

Comparison with Similar Tools

• Pi-hole — network-wide DNS blocker on a separate device; Portmaster runs directly on your machine with per-app control
• Little Snitch — macOS application firewall; Portmaster is cross-platform and open source
• GlassWire — network monitor with freemium model; Portmaster is fully free and open source
• AdGuard Home — DNS-level network filter; Portmaster adds kernel-level per-app firewall rules
• uBlock Origin — browser-only ad blocker; Portmaster covers all applications system-wide

FAQ

Q: Does Portmaster work on macOS? A: macOS support is on the roadmap but not yet available. Currently Portmaster supports Linux and Windows.

Q: Does Portmaster slow down my internet? A: The overhead is minimal. DNS resolution through encrypted DNS may add a few milliseconds on the first query, but results are cached locally.

Q: Can I use Portmaster alongside a VPN? A: Yes. Portmaster can work alongside most VPN clients. Safing also offers an optional SPN (Safing Privacy Network) integration for multi-hop routing.

Q: Is Portmaster really free? A: The core application firewall and all privacy features are free and open source. Safing offers an optional paid SPN service for advanced routing.

Sources

• https://github.com/safing/portmaster
• https://docs.safing.io/