Portmaster Free Showcase

Co-founder and CCO of Safing here , I thought I’d pitch Portmaster Free for PrivacyGuides.

For Who Is Portmaster Free?

Portmaster is a privacy suite for people who want an easy solution to step up their privacy on their desktop OS.

Portmaster Free Features

• Monitor All Network Activity
• Automatically Block Trackers & Malware
• Secure Your DNS Requests by Default
• Create Your Own Rules
• Set Global & per‑App Settings
• Install & Forget Solution

You do many of these things in your browser, you should do it for your complete OS.

Technology Overview

• Portmaster integrates into network stack using nfqueue on Linux and a kernel driver (WFP) on Windows.
• Packets are intercepted at the raw packet level - every packet is seen and can be stopped.
• Ownership of connections are (currently) found via /proc on Linux and the IP Helper API (iphlpapi.dll) on Windows.
• Most settings can be defined per app, which can be matched in different ways.
• Support for special processes with weird or concealed paths/actors:
  • Snap, AppImage and Script support on Linux
  • Windows Store apps and svchost.exe system services support on Windows
• Everything is 100% local on your device. (except the SPN, naturally)
  • Updates are fully signed and downloaded automatically.
  • Intelligence data (block lists, geoip) is downloaded and applied automatically.
• The Portmaster Core Service runs as a system service, the UI elements (App, Notifier) run in user context.
• The main UI still uses electron as a wrapper : / - but this will change in the future. You can also open the UI in the browser

Feature: Privacy Filter

• Define allowed network scopes: Localhost, LAN, Internet, P2P, Inbound.
• Easy rules based on Internet entities: Domain, IP, Country and more.
• Filter Lists block common malware, ad, tracker domains etc.

Feature: Secure DNS

• Portmaster intercepts “astray” DNS queries and reroutes them to itself for seamless integration.
• DNS queries are resolved by the default or configured DoT/DoH resolvers.
• Full support for split horizon and horizon validation to defend against rebinding attacks.

Feature: Safing Privacy Network (SPN)

• see the product showcase for Portmaster Unlimited / SPN

Further Reading

• Portmaster Source Code
• Portmaster Feature Page
• Portmaster Architecture Overview

Happy to discuss & answer any questions!

I have been meaning to try Portmaster out for a while, and think it might make sense particularly related to

If we were to add it, we would have to figure out under which section.

happy to introduce new categories for privacy software

It would make sense to add it in Firewall section, along with simplewall (windows) and Lulu and/or Little Snitch on macOS. Android and iOS equivalents could be included as well.

The ability to revoke network access to specific apps is a huge privacy improvement, IMO.

It would be probably related to a new Software/Firewall section.

Hey there, just wanted to ask if there were any updates on this. Did you have time to have a look? Do you have any thoughts? Cheers, David

Questions for Portmaster -

1. Benefits of using portmaster for blocking trackers & malware vs. relying only on DNS based blocking services (like nextdns) or other tools like 0&0 shutup10 (for windows OS specific blocking)
2. Does portmaster work with another VPN tunnel running parallel in the system ?
3. Is it worth the time and effort put by a user in configuring a firewall app for keeping their data secure (also consuming some system resources in the process) ? Compared to just relying on trusted softwares which would protect their privacy by default.(for example using open source alternatives of softwares and using privacy friendly operating systems)

Personally i would like to eliminate stuff like telemetry and trackers , right from the operating system itself by disabling them as much as possible than rely on a firewall to block them accurately and consistently. (which often becomes a stressful task to do so in my personal experience of using firewall apps)
For using privacy invasive apps (if the need be) my usual approach would be to either isolate them in their separate profile or a container and be aware of what data it collects and accepting its risk as we use it

I appreciate the work done by safing on portmaster , allowing users to have more control over their devices which makes it a powerful tool.
But I feel maybe not everyone (including me) would want to worry about configuring rules to block telemetry and trackers consistently on their system. (considering you would need to first understand which connections/ports/ips/apps to block and which not)

Although a good use case of using portmaster would be to audit apps and their behavior , whether they are doing what they say.
Advanced users maybe also have other justified use cases for using portmaster.
Let me know your thoughts on this.

Looks to me that Portmaster is an alternative to community-lead projects like simplewall (for Windows) and OpenSnitch (for GNU/Linux).

The “business model” seems similar to what Brave is doing, and I really hope it succeeds as another form of funding besides grants and donations.

One may prefer to install it for a business “one-click” solution, or prefer to distribute the responsibilities among community projects such as OpenSnitch/simpleWall (firewalling), dnscrypt-proxy/SimpleDnsCrypt (Secure DNS), and Tor/i2p/ for networking anonymization.

I thank the creators of PortMaster for this project and I hope to try it myself as soon as the problems of GitHub issues 13/942 are resolved.

Portmaster automatically blocks trackers & malware, and also secures your DNS requests by default. No further action needed. It’s like a tracker-blocker for your full system.

The benefits to having this on the device is that you can create an exception for let’s say Google in your browser but still block it everywhere else. That is not possible with a DNS based or Network solution. You can read more about some of the pros and cons in our Portmaster vs Pi-hole blog post.

Yes, most of them work - you can check the docs for more info.

That’s exactly what Portmaster does. Great defaults which take care of 80% of the job. It’s an install and forget solution. And then dedicated people can go and configure any & all details if they want to.

That is indeed a great use case - time and time again we get reports of people finding out about odd behavior of certain apps. Here is a recent one in the wild

Thanks! We appreciate you too

thanks a lot for your kind words! We also have a comparison post on Portmaster vs Simplewall you might like.

And I’m assuming you are referring to the offline installers? Yeah that is not as straight forward as it seems. You can already verify checksums if you are concerned about that. Or what is your angle on needing the offline installer?

Thank you for answering.

I cannot allow Portmaster network access on the system on which I install it. Not during the installation, and not after. I want to use it to block other applications and especially itself from accessing the network. Is this possible?

I’m not interested in the reasons (updates, etc.) and implications for the program to access the network - incompatible with my own use-case.

Thanks again.