Skip to content

ryanportfolio/SecureWall

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

SecureWall

SecureWall is a Windows default-deny firewall derived from TinyWall. It keeps TinyWall's service-owned Windows Filtering Platform enforcement and adds a tightly scoped, bottom-right prompt when a previously unknown application or service is blocked while attempting an outbound connection.

The tray menu's Network Activity window refreshes every second and separates observed WFP decisions (Allowed / Blocked), exact TCP transport states, and local listening endpoints. Listening (local endpoint) deliberately does not claim that a port is externally reachable.

SecureWall is early development software. Do not install it on a machine you cannot recover locally. A firewall defect can interrupt networking or weaken host isolation.

Installer

Prerelease builds provide standard per-machine Windows installers:

  • SecureWall_x64.msi for normal Intel/AMD 64-bit Windows PCs.
  • SecureWall_arm64.msi for Windows on ARM.
  • SecureWall_x86.msi only for 32-bit Windows.

The installer copies the complete runtime, installs and starts the LocalSystem service, and starts the tray controller. It deliberately refuses to install while TinyWall is present. Keep TinyWall active until you are ready to test from a local console; then uninstall TinyWall, reboot, and run the matching SecureWall MSI.

Alpha installers are unsigned. Windows may show an unknown-publisher warning. Verify the MSI against the release's SHA256SUMS.txt before running it. Real WFP, reboot, and audit-policy behavior remains unverified until the matrix in docs/TESTING.md is complete.

Intended prompt behavior

  • Normal mode blocks inbound and outbound traffic unless an explicit exception applies.
  • Only outbound drops caused by SecureWall's default-block filters may produce prompts.
  • Allow outgoing creates a permanent outbound TCP/UDP exception for the service-owned subject represented by the prompt token.
  • Ignore, closing the prompt, or prompt expiry leaves policy unchanged.
  • Explicit user blocks, blocklists, inbound drops, and ambiguous shared-service identities are never converted into broad allow rules.

The implementation and verification plan is in docs/superpowers/plans/2026-07-14-securewall.md. The threat model and architecture are in docs/design/2026-07-14-securewall-design.md.

Build and test

SecureWall targets .NET Framework 4.8 and must be compiled with full Visual Studio MSBuild because it uses COM references. Run the dependency-free prompt/security harness first:

dotnet run --project tests\SecureWall.Core.Tests\SecureWall.Core.Tests.csproj
& "${env:ProgramFiles(x86)}\Microsoft Visual Studio\2022\BuildTools\MSBuild\Current\Bin\MSBuild.exe" TinyWall\TinyWall.csproj /t:Build /p:Configuration=Debug /p:RestorePackages=false

The debug-only /protocolselftest, /pipeintegrationtest, and /promptpreview switches verify IPC serialization, authenticated pipe exchange, and the synthetic popup without starting the service or changing WFP. WiX 3.14.1 is needed to build the MSI; tools\release\Build-SecureWallRelease.ps1 creates all three installers and their SHA-256 manifest without installing anything. tools\vm\Prepare-SecureWallVmBundle.ps1 packages the guarded real-firewall validation runner for an expendable Windows VM. Full commands and the privileged VM matrix are in docs/TESTING.md. Security and recovery rules are in docs/SECURITY.md.

Lineage and license

SecureWall is based on TinyWall 3.5.1, pinned to upstream commit 1df71b146d01d734d5b5a45a814b29e6a073f4d0. See UPSTREAM.md for provenance and modification notes.

The firewall application and this combined work are licensed under GNU GPL version 3; see LICENSE. Starter automation retained in .claude/, .agents/, and .codex/ remains under its separately preserved terms in LICENSES/STARTER-MIT.txt and any per-skill notices.

SecureWall is not TinyWall and is not endorsed by TinyWall's author.

About

SecureWall is a Windows default-deny firewall derived from TinyWall. It keeps TinyWall's service-owned Windows Filtering Platform enforcement and adds a tightly scoped, bottom-right prompt when a previously unknown application or service is blocked while attempting an outbound connection.

Resources

License

Security policy

Stars

0 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors

Generated from ryanportfolio/AI-Firmware