How to: Basics of Using Safing Portmaster

/ DNS, how-to guide, adblocking

In this guide we look at how to get familiar with using/tweaking Safing Portmaster, an open-source and host-based application firewall available for Linux and Windows machines.

About Portmaster

safingio logo

SafingIO Portmaster is a free and open-source host-based application firewall. Put simply, it’s an application that can easily manage the network connections on the device on which it is installed.

Portmaster is useful for controlling/viewing the network activity on a Linux or Windows machine, all in one place. Portmaster also shows details for application's connections in its interface.

You can find other mentions of Portmaster on avoidthehack as a recommended tool for blocking ads and trackers on a device and as a recommended free and easy-to-use privacy tool.

Installing Portmaster

4 black gears 1 green gear

Installing Portmaster is easy regardless of what device used. Keep in mind, as of writing, Portmaster is only available for Windows and Linux systems.


Installing Portmaster is easy; users can select their Windows build and versions and execute the installer, which will handle the installation process easily.

Download Portmaster


The easiest way to install Portmaster is via the package manager; users can download the .deb file and install Portmaster from their graphical user interface (GUI).

Alternatively, Portmaster can be installed via the command line.

Safing details troubleshooting Portmaster installation (specifically for Linux) in their docs.

Download Portmaster

Running Portmaster

Running Portmaster is easy; it can be ran from the GUI of Windows or Linux or via the Linux command line.

Portmaster runs in the background even if the application is not opened on the system's GUI.

Compatibility note (port 53)

Portmaster binds to Port 53 (DNS). If there is another service already running (listening) to this port, then Portmaster will most likely throw an error. This error isn’t fatal, but can reduce Portmaster’s functionality or create DNS issues where you can’t connect to the internet.

Usually, this is because another service (likely DNS-related) is listening to this port.

To resolve this, you’ll need to locate what service is bound to port 53 on your machine and stop it.

If you’re using a Linux distro with systemd (which is likely), you can use sudo systemctl stop [service] in the command line.

In my specific case, my machine's Unbound service was causing the issue. So, to start, I would type sudo systemctl stop unbound stop Unbound from running.

After executing this command, unbound should be stopped; we can verify with sudo systemctl status unbound, which should show an Inactive status.

Now restart Portmaster (systemctl restart portmaster). It should no longer give the notification it cannot start the DNS service.

clear notification screen from portmaster

While this particular note-section is mostly geared towards Linux users, Windows users may run into similar errors due to services competing for the same port as well. For example, if Windows users are already using the NextDNS application, then they may run into issues as both try to listen to the system’s DNS service, getting in each other's way.

These are temporary workarounds - once the machine is restarted, you will like run into the same issues. Therefore, you should consider disabling applications and services likely to interfere with Portmaster from automatically starting.

Portmaster Basics

Portmaster has two main view modes: simple and advanced. Portmaster defaults to the simple interface.

Network Activity

In both the simple and advance interfaces, the “default screen” for Portmaster is the Network Activity screen. Here, we can see average number connections over time, total connections within a last reload interval, apps with network activity, and more details about connections for the entire system.

The more a system uses the network, the “noisier” the network activity screen may look.

The interface is split into two main panels.

network activity screen of portmaster, the left pane shows applications names and the right pane shows connection details

The left tells us the process/app name and amount of “recent connections.”

The right panel details information about an application’s network connections. We can see an overview of allowed/blocked connections, domains allowed, outgoing/incoming, etc.

Connection Details

Portmaster lets us view connection details on a per-app basis with a simple click, and without further digging, can show a wealth of information about a connection, such as:

  • Start time
  • Direction (outgoing/incoming)
  • Protocol (typically TCP/UDP/ICMP)
  • Tunneled + encrypted status
  • Domain name
  • IP address (+ port number)
  • Country
  • ASN and AS Organization
  • Binary path

From here, we can also easily block the application from making future connections to associated domains/IP addresses.


Connection filtering/searching

In an application like a browser, it may make connections to third-parties delivering content/services on behalf of a visited website. This can result in information overload, even for visiting a single website in a tab (especially if the browser is not using an adblocker), if we are looking for patterns/specific connections.

We can also filter/search connection information. Additionally, we can group an application’s connection by something like domain or country, depending on how we want to see the data.

Per-app settings

Portmaster can run settings like rules, force blocking internet activity, force blocking incoming connections for individual applications.

Without ever changing our global settings, perhaps we want to:

  • Temporarily restrict an app’s internet access
  • Allow or Block an app’s LAN access
  • Allow or Block incoming connections for an app
  • Allow or Block P2P connections
  • Manage filter lists of an app (set different lists than our global settings.)

As an example, perhaps we want to block our machine’s browser (Brave) from ever connecting to the main TikTok domain. Using a rule, we can specify it should only apply to Brave from the per-app settings screen by:

  1. Going to per-app settings for Brave
  2. Entering a rule, select Block and in the text box enter
  3. Click the check mark


We can now test our rule by opening Brave and attempting to visit TikTok. The browser should fail to connect, usually citing a connection timeout.

The failed connection should also be visible in Portmaster’s network activity:


Process profiles

Apps on a machine spawn processes that may continue in the “background” - or when the app is closed. They also may differ enough where we can specify rules for one process, but not apply it to the entire app itself (note: this depends on how the app interacts with the system.)

For example, an app may have a main process that handles the bulk of the app’s function and network activity; the same app may also have a process, defined in a different path, to automatically check for updates.

Global Settings

Global settings are the “defaults” Portmaster automatically uses for applications initiating network activity on the system. Most of the global settings are fairly self-explanatory.


In Portmaster's gobal settings, we can configure:

  • Default Network Action
  • Notification settings
  • DNS settings

We can also get somewhat specific with default actions for Portmaster to take regarding any applications and processes using the network on the machine:

  • Block internet access (generally shuts connectivity down across the entire device, assuming no applications bypass Portmaster).
  • Block LAN (restricts to/from connections from devices, like a wireless printer, on the LAN)
  • Block peer-to-peer (P2P) connections (this would block P2P activities like torrenting.)
  • Block incoming connections (blocks all internet/LAN incoming connections.)
  • Set filter lists and whether to block subdomains of domains on filter lists
  • Prohibit application bypassing of Portmaster

Safing Privacy Network (SPN)

While Portmaster is free and open-source software, users have the option to subscribe and unlock the SPN (which, for clarity, is also open-source.) SPN claims to supersede VPNs in providing privacy not reliant on a provider’s policies.

SPN features onion-routing and can have multiple identities for each application on a device; in short, each application can have its own IP address.


The SPN looks to work similar to split tunneling, which many VPN providers out there do offer. VPN split tunneling is where we can specify certain application/device traffic to route through the encrypted VPN tunnel.

A useful example for split tunneling is wanting to browse the internet from behind the VPN, but wanting to also maintain connectivity to local area network devices (like a printer.) SPN accomplishes this without reliance on a VPN provider or establishing a traditional VPN connection.

SPN requires creating an account with Safing, but does not require personal identifiable information (PII). Providing an email is optional.

Tweaking Portmaster

Portmaster comes with decent defaults for users who want something that works well and increases their privacy straight out-the-box. However, it is also a program that can be readily tweaked to your specific needs as a user.

I will run through some tweaks just about every user should find useful.

Forwarding requests to encrypted DNS providers

Portmaster comes with some “quick settings,” for forwarding requests to encrypted DNS providers like Cloudflare, Quad9, and AdGuard (which are among the recommended DNS providers on avoidthehack).

These specific encrypted DNS providers can also filter DNS requests; some provide malware domain blocking, while others provide adblocking and/or a combination of both.

Fortunately, users are not confined to choosing from a predefined list of DNS providers in Portmaster. We are free to specify DNS server(s) for Portmaster to forward lookup requests.

It's also easy to do; we just need to specify the address of the desired DNS server; Portmaster uses a URL format for specifying DNS servers:


When specifying a server, you’ll want to ensure you are forwarding to a DNS server that at least uses DNS-over-HTTPS (DoH) to encrypt your device’s forwarded queries; hence, using your internet service provider’s (ISP) unencrypted resolvers is not ideal. For enhanced privacy, you also will want to ensure you are using a server that supports QNAME minimization and DNSSEC.

Out of caution, you may want to consider avoiding forwarding to DNS servers with a definitive logging policy.

Be aware that should you specify a DNS server for Portmaster to use, it will bypass the network’s set DNS resolver. For example, if you have set your home network’s router to forward requests to (a public DNS server ran by Cloudflare), then Portmaster will not follow this if a DNS server is specified in its settings.

Privacy lists

Privacy lists on Portmaster are domain blocking lists.

These lists have a wide range of “themes” - some lists are geared for blocking not safe for work (NSFW) content whereas others block domains/hosts associated with malware.

Users are free to select how many lists to use in accordance with their specific needs.

Enabling a lot of lists can break certain apps on a device.

Lists can be applied globally and on a per-app basis. Lists available in Portmaster appear to be maintained by Safing.

Unfortunately, at time of writing, Portmaster does not allow adding customized lists.

Setting Portmaster as the system's DNS resolver (Linux)

This isn’t really a Portmaster specific tweak, but it’s relevant since Portmaster listens to the device’s DNS service.

In my case, prior to using Portmaster, I disabled systemd-resolved due to constantly dropping/slow DNS lookups, which killed my Linux system's internet connection.

In place of systemd-resolved, I previously used Unbound as my device’s local resolver. However, as mentioned earlier, Unbound wants to listen to the DNS service - like Portmaster.

Unbound, Portmaster, and systemd-resolved all listen on Port 53/TCP for DNS lookups. But we can substitute systemd-resolved for Portmaster’s service if desired (or needed). This gives Portmaster easy and interfere-free access to be the system’s “DNS master.”

This may especially helpful if users find systemd-resolved unreliable/problematic. There are actually many bug reports across many Linux distributions concerning systemd-resolved where systemd-resolved has caused connectivity issues for users.

This is not required to have Portmaster function as intended if systemd-resolved is the default DNS listener.

1. Disable systemd-resolved

The first step is to disable systemd-resolved. We can do this by:

  • Opening a command line window
  • Typing sudo nano etc/resolv.conf

Depending on the editor installed on your machine, nano may be replaced with the command, such as touch, for initiating the editor within the command line interface.

Here, we tell the system to use a specified third-party DNS resolver (like a public one) for all lookups. We can specify the nameserver as - this is the IP address of a Quad9 public resolver.

Doing this helps maintain the DNS service (at least temporarily) prior to “permanently” disabling the systemd-resolved service. AKA, we keep our machine's DNS service going so we can access the internet if needed. Additionally, this is temporary - it will reset once the machine is rebooted.

Now, we can disable the systemd-resolved service:

sudo systemctl stop systemd-resolved

sudo systemctl disable systemd-resolved

The first command stops the service; the following prevents systemd-resolved from automatically running on a system start, such as a reboot.

2. Reconfiguring Network Manager

Network Manager will continue to look for systemd-resolved, so we must tell it to look for Portmaster instead.

  • Open a command line window
  • Navigate to the configuration file for Network Manager - for many distributions (like Linux Mint) this is etc/NetworkManager/NetworkManager.conf
  • Under the [main] section we will want to set dns to dns=portmaster

We will also want to ensure the Portmaster service is running and will automatically start on a system start (which it already should): sudo systemctl enable portmaster.

Lastly, reboot your system. On system start, Portmaster should listen to the DNS service by default.

Portmaster with other privacy tools

Portmaster can be used with other privacy tools on a system to further maintain and protect a user’s privacy.

This is not meant to be an all inclusive list of privacy tools to be used with Portmaster.

Portmaster with a VPN

vpn with emblem of shield

Though Portmaster has the optional paid SPN feature, users may want to use Portmaster alongside a trusted virtual private network (VPN) provider.

Most VPN providers have their own clients for their service, which many users frequently use. Depending on the VPN provider’s client and its implementation, Portmaster may not work smoothly with certain VPN clients.

In most cases, this has to do with Portmaster and the VPN client “competing” to listen to the system's DNS service. In some cases, if the VPN client has a “killswitch,” then this could also be an issue.

To be effective, Portmaster needs to have access to the DNS service so it's ill advised to restrict its access to the system's DNS service. Fortunately, in some cases, tinkering with the VPN client’s DNS settings/killswitch settings may yield positive results.

For example, I opened an issue on GitHub in the Safing Portmaster repository to describe a workaround for the iVPN native client on some Linux distributions.

If users are having confirmed issues with a VPN provider’s client and Portmaster, directly using and configuring OpenVPN - even if slightly more technical in nature - often fixes the compatibility issue.

More information about VPN compatibility can be found in Safing Portmaster’s official docs. Safing encourages users to report incompatibility and compatibility with varying VPN providers.

Users are strongly recommended to use a trustworthy, no-logs VPN provider; avoidthehack has recommendations on the VPN providers post.

Portmaster with Unbound (as network resolver)

unbound logo

It was mentioned earlier that Portmaster can forward DNS lookups to an encrypted DNS provider (with ad/tracker/malware blocking services.)

We can even get a little more fancy with specifying DNS servers on the LAN - such as those we may self-host. Are you already using something like Unbound to run your own local network recursive resolver?

By inserting the IP address of where the self-hosted network resolver is located, Portmaster will forward DNS requests to the self-hosted resolver.

For example, let’s say the local IP address of our self-hosted resolver is

In Portmaster’s settings, we will tell it to use our Unbound resolver by adding the value dns:// as an entry under “DNS Servers.”

To clean things up in Portmaster’s messaging and logs, we can actually specify a name for our self-hosted Unbound DNS server with dns://

Portmaster with Pi-Hole

pihole logo

Perhaps you are like many people out there running a self-hosted Pi-Hole installation.

Likely you also want to use Portmaster on your machine - but you don’t want Portmaster (and the machine) to bypass your Pi-Hole installation. This would happen if you specified a DNS service to forward requests in Portmaster's settings.

Fortunately, we can tell Portmaster to forward requests to our Pi-Hole installation by pointing Portmaster to the IP address of the machine where Pi-Hole is hosted - similarly to how we’ve done with the Unbound example above.

Let's take an example; the LAN IP address of the self-hosted Pi-Hole installation is at In Portmaster, we will then put dns:// as the DNS server.

Portmaster should point requests to Pi-Hole and now you should be able to reap the benefits of Portmaster on the machine and Pi-Hole for the network.

Portmaster with Lokinet

lokinet logo

Portmaster works well with network-layer onion-routing software, Lokinet. Lokinet can enable anonymous browsing, similar to Tor. Additionally, Lokinet can reliably onion-route real-time voice/video calls and other high-bandwidth content; it's similar to Tor, but is more than just a browser and can handle other connection types like UDP and ICMP.

First, users will need to install Lokinet.

Portmaster can “see” Lokinet’s data packet routing. Portmaster’s filtering and app rules are best served on the application initiating the connection (like a browser.)

Portmaster with Tor

tor logo

The Tor browser is a browser configured to run on the Tor network; Portmaster works well with Tor as they operate on different layers, with Tor operating on the transport layer whereas Portmaster operates on the Network layer (like Lokinet).

There should be no configuration required to run Portmaster while using Tor. Users can see the onion-routing traffic working on the Network Activity log/messages in Portmaster.

Final thoughts

Portmaster is an open-source solution to controlling the network connections initiated by the various services and applications installed on a Windows or Linux machine.

While it looks (or sounds) intimidating for less technical users, Portmaster is easy to use and comes with good privacy defaults out-of-the-box. It is also a useful tool for more technical users due to the amount of information it provides about network connections.

With that said, stay safe out there!

Next Post Previous Post