Here is something most people have never thought about. Right now, as you read this, the apps on your Windows PC are making network connections you did not ask for and probably do not know about. Your browser is pinging ad servers. Apps you installed months ago are phoning home to company servers. Background services are sending data to places you have never heard of. Windows does nothing to show you any of this, and its built-in firewall does not give you per-app control in any practical sense.
Portmaster changes that. It is a free, open-source application firewall for Windows that shows you every connection every app on your PC makes, lets you block individual apps from the internet entirely, blocks ads and trackers at the network level for every application not just your browser, and encrypts your DNS queries automatically. This guide explains what it is and how to use it.
What Is Portmaster?
Portmaster is a free, open-source application firewall developed by Safing, a privacy-focused company based in Austria. It works on Windows and Linux and is available to download from safing.io at no cost.
Unlike browser extensions that only protect you while browsing, Portmaster works at the operating system level. It integrates directly into the Windows network stack using a kernel driver, which means it sees every single network packet that enters or leaves your PC regardless of which app created it. That includes your browser, your email client, Steam, Spotify, system services, everything.
The key things Portmaster does out of the box, once installed, with no configuration needed:
This shows you a real-time list of every network connection every app on your PC is making. It blocks ads and trackers for every application, not just your browser. It encrypts your DNS queries using DNS over HTTPS or DNS over TLS so your internet provider cannot see which websites you look up. Further It lets you block any individual app from accessing the internet entirely with a single click.
The core product is completely free. There is a paid tier called SPN that adds a Tor-like multi-hop privacy network, but the free version is genuinely powerful on its own and is what this guide covers.
How to Download and Install Portmaster on Windows
Go to safing.io and click Download for Windows. Run the installer as administrator. Portmaster installs a background system service and a small system tray icon. The installation takes about a minute and does not require a reboot.
When Portmaster opens for the first time, it walks you through a short setup asking whether to enable secure DNS and which default blocking level to use. The recommended defaults are sensible for most people. After setup, Portmaster runs silently in the background and the dashboard is accessible any time from the system tray icon.
Getting Around the Portmaster Dashboard
The dashboard has a sidebar on the left with four main sections: Monitor, Apps, DNS, and Settings.
Monitor is the live view. It shows every network connection happening on your PC right now, updated in real time. Each entry shows the app that made the connection, the domain or IP it connected to, whether the connection was allowed or blocked, and the country where the server is located. Watching this for thirty seconds on a typical Windows PC is genuinely eye-opening. You will see apps making connections you had no idea they were making.
Apps is where the real control lives. It lists every application Portmaster has detected making network connections, from Chrome and Spotify down to Windows system services running under svchost.exe. Clicking any app shows its recent connections and lets you change its network permissions.
DNS shows every DNS lookup your PC has made. Since Portmaster intercepts all DNS queries and routes them through its own secure resolver, every lookup is logged here. You can see which domains each app tried to reach, including ones that were blocked.
Settings is where global defaults live, including which DNS provider to use, which block lists are enabled, and the default behavior for new apps.
How to Block an App From the Internet
This is one of the most immediately useful things Portmaster does, and it takes about five seconds.
Open the Portmaster dashboard and go to Apps. Find the application you want to block. Click on it. At the top of the app detail panel you will see a network access setting. Change it from Allow to Block. That app is now cut off from the internet entirely. It cannot send data, cannot phone home, cannot receive updates unless you change the setting back. The block takes effect immediately without restarting anything.
This is useful in situations most people have encountered. A game you bought outright that keeps pushing online services you do not want. An old app you still need locally but have no reason to let reach the internet. A piece of software you are not fully sure about. Block it in Portmaster and it cannot do anything over the network.
How Portmaster Blocks Ads and Trackers System-Wide
Most ad blockers work only in your browser. Portmaster blocks ads and trackers for every application on your PC because it operates at the network level, before any connection is established.
When an app tries to connect to a known tracker, ad server, or malware domain, Portmaster checks that domain against its built-in filter lists and blocks the connection before it goes anywhere. The app never reaches the server. The data never leaves your PC.
In Settings under Filter Lists, you can see which lists are active and add additional ones. The defaults cover the most common ad networks, tracker domains, and malware sources. You can add more specific lists if you want broader coverage.
The practical difference from a browser extension is significant. Portmaster blocks trackers in Spotify, in desktop apps, in games, in the Windows operating system itself, anywhere a network connection is attempted. A browser extension only protects the browser.
How Portmaster Handles Your DNS
Every time you visit a website, your PC first looks up its domain name to find the server's IP address. By default, this lookup goes to your internet provider's DNS server in plain text, meaning your provider can see every domain you look up and potentially log or sell that information.
Portmaster intercepts all DNS queries from every app on your PC and routes them through a secure DNS resolver using DNS over HTTPS or DNS over TLS. The queries are encrypted, so your internet provider sees encrypted traffic rather than a readable list of every site you visit.
In the DNS settings you can choose which provider handles your encrypted queries. Portmaster includes several options including Cloudflare, Quad9, and others. You can also set a custom resolver if you have a preference.
Per-App Settings vs Global Settings
One of Portmaster's most powerful features is that almost every setting can be applied globally across all apps or overridden for individual apps.
For example, you might set the global default to block all tracker connections, but allow a specific app to connect to its own analytics service if you want it to work properly. Or you might block all incoming connections globally but allow a specific app to receive them for legitimate reasons.
To apply a per-app setting, go to Apps, click the app you want to configure, and change any setting in that app's panel. Settings changed here override the global defaults for that app only.
This granular control is what separates Portmaster from simpler privacy tools. You are not just turning one big switch on or off. You are making specific decisions about specific apps.
Portmaster vs Windows Firewall
| Feature | Portmaster | Windows Firewall |
|---|---|---|
| Per-app internet blocking | Yes, simple one-click | Yes, but complex rules required |
| Real-time connection monitor | Yes, live dashboard | No |
| Ad and tracker blocking | Yes, system-wide | No |
| DNS encryption | Yes, built-in | No |
| Block lists for malware domains | Yes | No |
| See which domains apps contact | Yes | No |
| Free | Yes | Yes |
| Open-source | Yes | No |
| Replaces Windows Firewall | No, works alongside it | N/A |
Portmaster does not replace Windows Firewall. The two run alongside each other without conflict. Windows Firewall handles system-level port rules and inbound protection. Portmaster adds the per-app visibility, tracker blocking, and DNS encryption that Windows Firewall simply does not offer.
A Honest Note on Limitations
Portmaster is not a VPN and does not hide your IP address from websites you visit. The free version has no routing or anonymization features beyond encrypted DNS. If you need IP-level privacy, a VPN does that job separately.
Because Portmaster installs a kernel driver, it runs with system-level privileges. This is necessary for it to see all network traffic, but it means you should only download it from the official safing.io website rather than third-party sources.
Occasionally, blocking certain connections can break apps that depend on specific background services. If something stops working after installing Portmaster, checking the Monitor view to see which connections are being blocked usually points to the cause quickly.
Final Thoughts
Most people have never had a clear picture of what their Windows PC is doing on the network. Portmaster gives you that picture for the first time, and then gives you the tools to act on it. Blocking a nosy app takes one click. Encrypting your DNS queries happens automatically. Stopping tracker connections system-wide requires no configuration at all. For anyone who wants to understand and control what their PC is doing online, Portmaster is one of the most genuinely useful free tools available for Windows.
Frequently Asked Questions
Does Portmaster replace Windows Defender or Windows Firewall?
No. Portmaster works alongside both without conflict. Windows Defender handles malware scanning and Windows Firewall manages system-level port rules. Portmaster adds per-app connection monitoring, tracker blocking, and DNS encryption that neither of those tools provides. You do not need to disable anything to use Portmaster.
Is Portmaster safe to install?
Yes. Portmaster is a legitimate, fully open-source project developed by Safing, a registered company based in Austria. The source code is publicly available on GitHub and has been reviewed by the security community. Download it only from the official safing.io website to ensure you get the genuine version.
What is SPN and do I need it?
SPN stands for Safing Private Network and is a paid feature that routes your traffic through multiple servers in a Tor-like fashion, giving each app a separate IP address. It is an optional premium feature for users who want advanced anonymization beyond what the free version provides. The free version of Portmaster is fully functional without SPN and covers everything described in this guide.
Discussion (0)
Be the first to comment.