SecureWall is a Windows default-deny firewall derived from TinyWall. It keeps TinyWall's service-owned Windows Filtering Platform enforcement and adds a tightly scoped, bottom-right prompt when a previously unknown application or service is blocked while attempting an outbound connection.
The tray menu's Network Activity window refreshes every second and separates observed WFP decisions (Allowed / Blocked), exact TCP transport states, and local listening endpoints. Listening (local endpoint) deliberately does not claim that a port is externally reachable.
SecureWall is early development software. Do not install it on a machine you cannot recover locally. A firewall defect can interrupt networking or weaken host isolation.
Prerelease builds provide standard per-machine Windows installers:
SecureWall_x64.msifor normal Intel/AMD 64-bit Windows PCs.SecureWall_arm64.msifor Windows on ARM.SecureWall_x86.msionly for 32-bit Windows.
The installer copies the complete runtime, installs and starts the LocalSystem service, and starts the tray controller. It deliberately refuses to install while TinyWall is present. Keep TinyWall active until you are ready to test from a local console; then uninstall TinyWall, reboot, and run the matching SecureWall MSI.
Alpha installers are unsigned. Windows may show an unknown-publisher warning. Verify the MSI against the release's SHA256SUMS.txt before running it. Real WFP, reboot, and audit-policy behavior remains unverified until the matrix in docs/TESTING.md is complete.
- Normal mode blocks inbound and outbound traffic unless an explicit exception applies.
- Only outbound drops caused by SecureWall's default-block filters may produce prompts.
- Allow outgoing creates a permanent outbound TCP/UDP exception for the service-owned subject represented by the prompt token.
- Ignore, closing the prompt, or prompt expiry leaves policy unchanged.
- Explicit user blocks, blocklists, inbound drops, and ambiguous shared-service identities are never converted into broad allow rules.
The implementation and verification plan is in docs/superpowers/plans/2026-07-14-securewall.md. The threat model and architecture are in docs/design/2026-07-14-securewall-design.md.
SecureWall targets .NET Framework 4.8 and must be compiled with full Visual Studio MSBuild because it uses COM references. Run the dependency-free prompt/security harness first:
dotnet run --project tests\SecureWall.Core.Tests\SecureWall.Core.Tests.csproj
& "${env:ProgramFiles(x86)}\Microsoft Visual Studio\2022\BuildTools\MSBuild\Current\Bin\MSBuild.exe" TinyWall\TinyWall.csproj /t:Build /p:Configuration=Debug /p:RestorePackages=falseThe debug-only /protocolselftest, /pipeintegrationtest, and /promptpreview switches verify IPC serialization, authenticated pipe exchange, and the synthetic popup without starting the service or changing WFP. WiX 3.14.1 is needed to build the MSI; tools\release\Build-SecureWallRelease.ps1 creates all three installers and their SHA-256 manifest without installing anything. tools\vm\Prepare-SecureWallVmBundle.ps1 packages the guarded real-firewall validation runner for an expendable Windows VM. Full commands and the privileged VM matrix are in docs/TESTING.md. Security and recovery rules are in docs/SECURITY.md.
SecureWall is based on TinyWall 3.5.1, pinned to upstream commit 1df71b146d01d734d5b5a45a814b29e6a073f4d0. See UPSTREAM.md for provenance and modification notes.
The firewall application and this combined work are licensed under GNU GPL version 3; see LICENSE. Starter automation retained in .claude/, .agents/, and .codex/ remains under its separately preserved terms in LICENSES/STARTER-MIT.txt and any per-skill notices.
SecureWall is not TinyWall and is not endorsed by TinyWall's author.