Stealth Firewall

Stealth Firewall gives you granular control over which applications can access the internet. Block unwanted connections, prevent applications from phoning home, and ensure only trusted software communicates over your network.

How It Works

Stealth Firewall is a friendly front-end on top of Windows Defender Firewall. It uses PowerShell (Get-NetFirewallRule and friends) to read, create, and modify rules. Everything you create here lives in the native Windows firewall, so rules persist even when Stealth isn't running.

What it adds on top of raw Windows firewall:

  • Searchable, filterable rule list with quick refresh
  • By Application pivot that joins program-path filters to rules
  • One-click Block App / Allow App shortcuts
  • Live Profiles management (Domain / Private / Public)
  • Device Posture scoring with remediation actions
  • App Identity tracking for executables (hash and signer aware)
  • Continuous Verification that can re-run posture on a timer and react when the score drops
  • Toolbar connection summary by TCP state (LISTEN, BOUND, ESTABLISHED, CLOSE_WAIT)
  • One-click export of all rules

Rule Modes

Allow Connection is permitted
Block Connection is dropped

Windows firewall only supports allow/block at the rule level - that's the full set.

Sidebar views

Use the View section in the left sidebar to switch modes. Each mode keeps the same toolbar (refresh, new rule, block/allow app shortcuts, live TCP counters, and search).

  • All Rules - full Windows Defender Firewall rule list with enable/disable context actions
  • By Application - rules grouped by executable so you can audit everything tied to a specific program
  • Profiles - Domain, Private, and Public profile defaults and on/off state
  • Device Posture - a consolidated security score built from Defender, BitLocker, Windows Firewall, LSA protection, and related baseline checks. The summary shows failed checks, listening ports, and flagged services. Each row can offer Resolve (elevated auto-fix where supported), Manual shortcuts that open the right Windows UI, or guidance when a reboot is required. Re-Run Checks forces a fresh evaluation.
  • App Identity - tracks outbound-capable applications by path, SHA-256 hash, and Authenticode signer. Stealth records the identity the first time you allow or block an app and warns if the binary on disk changes (tampering or unexpected upgrades). Toggle Enabled, hit Refresh Live to stream currently outbound processes, and compare Stored Rules vs the Currently Outbound list.
  • Continuous Verification - periodically re-runs the same posture engine. Configure the interval (seconds), the score that locks Stealth Vault, and the lower score that drops the VPN tunnel. When thresholds trip, Stealth raises alerts and the activity log records each evaluation.

Filtering & Search

  • Filter by direction (Inbound / Outbound)
  • "Enabled only" toggle to hide disabled rules
  • Search box matches rule name, description, and program path
  • Auto-refresh interval is configurable in settings

Creating a Rule

  1. Click Add Rule
  2. Enter a name, direction (inbound/outbound), and action (Allow/Block)
  3. Optionally pick a program path
  4. Optionally set protocol, local/remote ports, and remote address
  5. Choose which profiles it applies to (Domain, Private, Public)
  6. Save

Rules apply immediately and persist across reboots in Windows firewall.

App Shortcuts

Two one-click actions for any application:

Block App Creates an outbound rule blocking the program
Allow App Creates an outbound rule explicitly allowing the program

Useful for quickly preventing telemetry, blocking phone-home traffic, or whitelisting an app you trust.

Profile Management

For each Windows network profile (Domain, Private, Public) you can:

  • See current state - on/off, default inbound action, default outbound action
  • Toggle the profile on or off
  • Change the default inbound or outbound action

Connection Summary

The toolbar shows aggregated TCP connection counts by state, pulled live from Get-NetTCPConnection:

LISTEN Sockets waiting for inbound connections
BOUND Sockets bound but not yet listening
ESTABLISHED Active connections in progress
CLOSE_WAIT Connections being torn down

This complements Network Monitor when you want a quick health view from inside Firewall.

Export Rules

Export the current rule set (rules + profile state) to a JSON file. Useful for backup before bulk changes, sharing a configuration across machines, or auditing what's currently active.

Common Use Cases

Block telemetry. Stop chatty applications from sending usage data by blocking their outbound network access entirely.

Stop silent updates. Prevent apps from auto-updating without consent by blocking their connection paths.

Lock down public Wi-Fi. Tighten the Public profile when you're on an untrusted network, and relax it again at home.

Audit suspicious processes. Use the By Application view to see exactly what rules already exist for a given executable.

Working With VPN

Stealth Firewall and Stealth VPN work side by side. Combine them for layered protection: use the VPN for tunnel-level encryption, use the firewall to block specific apps from connecting at all, and use Split Tunneling to choose which apps go through the tunnel.

Best Practices

  • Start with the App Shortcuts before writing custom rules
  • Export rules before any large change so you can roll back
  • Audit periodically - Windows firewall accumulates rules from installers
  • Don't disable a profile entirely unless you understand the consequences
  • Run Stealth elevated for full access; mutations require admin