Software Firewall to manage Outbound connection on Windows

Following these 5 topics (1 2 3 4 5), It seems there still isn’t a great option on Firewalls.

To avoid confusion, please let’s stick to software firewall and Windows for this topic.

First off, the problem with Windows Firewall:

Windows Firewall lacks the most important usability feature which almost all people expect from a software firewall: the ability to manage connections interactively, that is: the ability to block everything by default and have Windows Firewall prompt you to allow/block connections on the first connection [of an application]. Windows Firewall can’t do that without relying on a third-party software.

If I summarize the issues on the other threads of the other suggested Firewall:

Portmaster:

Lots of spaghetti code, bloated, uses tons of ram and cpu, 3 executables to run, one of which is just a tray icon that is bugged for years, needs kernel permission, but devs have no idea what to do against bsods. It’s very easy to bsod someone running portmaster, not going to tell you how, but I’ve tested this with another machine with an easy overflow attack. If developers do not master and can’t fix bugs in the realm of security, kernel space and the mechanics of firewall, then I’ve zero faith, period. This app should not run in the kernel space, AT ALL. It also uses WFP, so it’s totally dependent on Windows, yet it asks full system control, restricting user freedom.

awkward interface hard to make sense of, needs a lot of setup and tuning, random connection issues, etc.

Portmaster really is resource-heavy, and has some funky behavior with Hyper-V VMs. Have had to restart my PC many times after shutting down and starting up Portmaster again due to the network adapter just going kaput

Every time I ran it I had crippling performance issues. I participated for a while in a GitHub issue about it, but I ultimately lost hope it would be fixed (I say this with all due respect to the very talented devs who work on it!). Moreover, that’s before I even began to try to make it work with ProtonVPN, which ultimately I would have to do. And I also do not want it to touch my DNS settings, as I would prefer to blend in with other ProtonVPN users as someone using Proton’s DNS. I am aware as to this last point you can force Portmaster to use system default DNS, but the other issues preclude getting to this point.

I had the same experience a few years ago and recently tried it. But sadly no.. I don’t know how but it’s still buggy and the interface is still the same. Maybe even worse because some of the time the interface takes like 20s to load.

If the devs see this, they should take a look at the Glasswire Interface. Especially the “Traffic Monitor” Tab. If they could somehow replicate that and clean up the UI so it doesn’t feel so unorganised and straight up bad, I might at least consider switching to it in the future. After installing and removing portmaster at least 5 times I’m starting to give up but maybe they’ll listen to people somehow idk i’m trying not to lose hope here.

Portmaster seems to have a nice UI compared to others but if you are planning to use VPNs, you are going to have a bad time. I tried with Proton and Windscribe and PM cut my internet connection completely.

Simplewall:

There are some little controversies with simplewall. Online virus scans detect some malware, however highly likely they are just false positives:

VirusTotal scan of simpewall
Hybrid Analysis scan of simplewall

Moreover, simplewall still doesn’t have any digital signature, and the developer doesn’t have knowledge how to sign their software, while this information is publicly accessible. Lack of a certificate is not very important, though desirable.

I also dislike the developer’s attitude, and hence dislike the developer himself:

1
2
3

By answering with “i dont care” you basically say that “I don’t give a single f*** about you, the user of my application”. It is unprofessional, unethical, disrespectful to the user, negligent, and, after all — rude. I personally don’t want to use a software from such a developer. I like his firewall, however. It’s very light on resources and very simple.

I don’t think simplewall has malware, but I just don’t like the developer’s harsh attitude and maladjusted, maybe even sociopat behavior:

1
2
3
4 and 5
6
…and so it goes.

I then tried creating a rule, unsuccessfully. I then posted it on their Github and I can confirm the developer is a class A asshole. If I can’t trust a developer, can I trust their firewall? I’ve permanently removed simplewall from memory and eventually all my computers.

Fort:

A better and more feature rich alternative to Simplewall, but have to disable core isolation because Microsoft is a scammer.

Glasswire:

Excellent UI for its network monitor component and handy extra features, but with a concerning privacy policy and seemingly watered down firewall compared to SW.

Glasswire has been sold by its founders to an Italian firm. Prudent to re-calibrate your choice.

TinyWall:

This could be good, but the “block without asking” approach is the opposite of what I want.

VPN Kill Switch:

A simple way: VPN kill switch mode and apply it to all apps that you dont want to connect to internet. Works also in android

I presume this could work, but it’s the same problem as Tinywall.

Windows Firewall Control:

It’s also closed source, and although you can block it, it sends some usage data back once a day.

Pinging @paranoidSchizo who wanted to do a PR on this.

Pinging @Average_Joe and @Andell who tried a lot of solutions for this. What are you using now?

Pinging @Raphty from safing portmaster.

Hopefully this doesn’t get closed or merge to another thread, because the other threads go in all sorts of directions. Like I said, let’s stick to software firewall and Windows for this topic

What’s your actual question? Or are you posting to only ask select people?

Still happy to work on a PR (a bit busy tho so it might not be until the end of the month). I would follow a similar format to the other KB pages, discussing what software firewalls are and why someone might want to use one for their own personal privacy and security. Second, I would outline the recommended usage (block all outbound traffic for installed software and then respond to popups y/n as applications request network access). Then I was just going to recommend Lulu/LittleSnitch for macOS and Safing Portmaster for Windows/Linux.

It has been quite a while since I’ve used Linux or Windows as a desktop operating system so I haven’t needed an application firewall on my servers/VMs resulting in my usage of Portmaster being very brief and experimental. I didn’t notice any glaring issues when I did try it a year back. If someone else who has more experience with other options wants to contribute the Windows recommendation section , I’m happy to collaborate on the PR.

What I do know is what they’re good for, how to use them, why you should want to use them, and that Lulu is free and works great for me!

I use Portmaster. The UX feels very clunky to me but if your willing to spend a bit of time getting used to it, it seems to do its job well.

Granted I have not run into the performance issues you quoted and am not qualified to speak on its code.

I am also running very few apps at a time and most of the connections made are allowed, so I might be a bit to causal of a use case.

What’s the actual recommended FW on Windows with all these quotes taken into consideration.

I’ve tried Portmaster but it was a horrible experience. I’m mostly talking about the user interface. I’m completely happy with Simplewall. It doesn’t matter that the isolation has to be off since I can’t use it anyway because of my hardware.

edit. Personally, Defender has never flagged anything for me, and if there’s been a problem, it’s always been on the user’s end. And I’ve always handled everything myself. And weren’t all those messages of yours I read from like, two years ago?

NetLimiter is the best option available, but it is not free.

It seems to be recurrent, many many people have the same opinion on the developer.

I might go with it anyway since it seems like the only FOSS good option.

Among those you’ve mentioned, I tried only Portmaster and Simplewall.

Portmaster was kinda clanky, and generally felt too heavy for a daily firewall, not to mention that the UI feels messy and bloated. Also I don’t like the fact that they integrated SPN in the portmaster, making it unnecessarily heavy since SPN is a paid feature, and not everyone using Portmaster is subscribing to a plan that costs 10€/month. Btw, is using WFP(windows filtering platform) inappropriate for a firewall? simplewall also uses WFP, and since all software firewalls run on top of Windows, I do not understand why using Windows’ built-in feature is an issue by itself.

Simplewall was much better in terms of usability. The only downside of SW is that it’s no longer under active development.

Gotta try Fort and Tinywall next time. Glasswire is not an option I’d ever consider since it’s closed source.

Personally I’ve used simplewall for years and it has all the basic features one needs. If u need smth that simplewall can’t do, chances are there is a program out there that specializes in doing that thing and does it 10x better anyway. There is simply no reason for the author to add bloat to it when most users won’t use those features anyway and those that do can just install dedicated software made specifically for that purpose. Simplewall is extremely lightweight, it barely consumes any cpu or ram because it has 1 job and does it well. The other firewalls like portmaster are much heavier.

Well simplewall is open-source and u can always verify if anything on ur pc is spying on u by using ur router domain analytics. Henrypp is just very tired of dealing with all the dumb shit and questions he has to deal with on the repo. Every time there’s a new version 10 people post the EXACT SAME ISSUE. There is literally a checkbox that goes like “I have read and am sure there are no other issues like this” and NO ONE READS. They can’t even bother to spend 5 mins to search if the issue has already been reported, but they expect him, the busy dev, to dedicate HIS time? If i was simplewall’s dev i would be just as pissed.

Simplewall it is then!

Thanks for chiming in!

I am basically a novice with github, so excuse my ignorance but, cant the gitmodules be used to reproduce the build?

They must be used, or there will be errors during compilation. The problem is that the developer does not give the user enough data to reproduce the environment because he’s lazy and “don’t give a f” or something else. Even his gitmodules don’t work as they should, Git cannot clone them automatically, and this has to be done manually.

I appreciate your reply!

I’m still researching but Portmaster still comes across as the best.

I only came across something very new, it seems like a VPN 2.0: https://nym.com/

NYM is open source as well and very cheap!

I decided to go with Simplewall afterall! The critics on that software is mostly that the author is not a so nice guy, but the software is really well made and give you back control over any process that want to access the internet.

You just need to allow windows updates after you install the software and be careful to go through the options (there aren’t a lot).

@win11.shading291 Another firewall you might be interested to check out is Minimal Firewall. It’s quite a recent project.
It works much in the same way as simplewall in that it’s a frontend for WFP.
Here’s the PG thread about it: Minimalfirewall: Minimal Firewall is a portable Windows firewall without requiring custom kernel modifications or disabling core isolation
The developer is also a member of this forum.

Thanks for the recommendation! I had already seen it, but Blackbird’s experience with it threw me off.

I’m happy with simplewall for now

Simplewall is great software, it’s what I used before I made Minimal Firewall.

Just wanted to point out that Blackbird used version 2.1, and now it’s on v2.5. It is still a work in progress, but much more stable now.

Can Minimal Firewall allow connections only for the Windows Updates service, or do I need to allow access to all svchost for updates to work? I saw this issue with WFC. Btw, does simplewall have the same problem?