SysAdminDoc/PyWall

GitHub: SysAdminDoc/PyWall

Stars: 0 | Forks: 0

Py Wall

Version License Platform

PyWall v4.1.0

PyWall

A real-time Windows Firewall manager and network monitor.
Single-file Python app. WFC-style rule editor. Toast notifications. Threat detection. Plugin system.

Python Windows License Lines

## What Is This PyWall is a desktop application that sits between you and Windows Firewall. It monitors every network connection in real time, shows you exactly what's talking to the internet, and lets you create or manage firewall rules without ever opening `wf.msc`. It's a single `.py` file. No installer. No build step. Drop it anywhere and run it. ## Quick Start # Clone and run (admin recommended) git clone https://github.com/SysAdminDoc/PyWall.git cd PyWall python PyWall.py Dependencies (`PyQt6`, `psutil`, `requests`) auto-install on first launch. PyWall also auto-elevates to admin and configures Windows firewall audit logging automatically. ## Features ### Live Connection Monitor ### WFC-Style Rules Panel Full management of **all** Windows Firewall rules (not just ones PyWall created) through a split-pane interface with a sidebar for quick actions: - Filter by source (PyWall / System), direction, action, enabled state - Real-time search across rule names, programs, addresses, and ports - Quick actions: Allow, Block, Enable, Disable, Delete, Duplicate, Properties - Show invalid rules (missing exe) and detect duplicates - Browse-to-Allow / Browse-to-Block shortcuts - Open file location for any rule's program - Rule editor with **auto-detected dropdowns** populated from live connections ### Toast Notifications Desktop notifications for blocked connections and new apps. Each toast has one-click Block/Allow/Edit buttons. Expand for custom rule options (direction, action, type). All actions save immediately with no confirmation popups. ### Auto-Block Toggle in the toolbar. Automatically creates block rules for flagged connections. Multi-layer deduplication prevents duplicate rules: 1. `FWManager._known_names` -- in-memory set of all rule names, synced on create/delete 2. `rule_exists()` gate on every quick-block helper 3. `_auto_blocked_ips` -- UI-level IP set seeded from existing rules on monitor start 4. `_auto_blocked_threats` -- separate dedup for the threat detector path ### Threat Detection - Port scan detection (configurable unique-port threshold within a time window) - Brute force detection (repeated blocked connection attempts) - Custom IP/domain blocklist enforcement - VirusTotal hash lookups (bring your own API key) - Digital signature verification - GeoIP novelty alerts (first connection to a new country) - Unusual-hour connection detection ### Network Map Animated visualization with traffic flow particles. Nodes represent active connections sized by activity. Color-coded by traffic category. ### Application Control Per-app Allow / Block / Ask policies. See which apps are making connections, their paths, and command lines. Block All Unknown mode for lockdown environments. ### History & Timeline SQLite-backed connection log with full-text search and filters (process, country, time range). Session tracking with duration and byte counts. Auto-pruning by configurable retention period. ### Scheduling Time-based rule scheduling -- enable or disable rules on a cron-like schedule. Network profile auto-switching. DNS-level blocking. Bandwidth quota monitoring. ### Plugin System Drop `.py` files into `%APPDATA%/PyWall/plugins/`. Plugins receive events: `start`, `stop`, `connection`, `block`. Four example plugins included: | Plugin | Description | |--------|-------------| | Webhook Notifier | Send alerts to Slack, Discord, or Teams | | CSV Logger | Daily CSV logs of connections and blocks | | IP Reputation | Check IPs against AbuseIPDB | | Connection Stats | Track per-session statistics | ### Themes Seven built-in themes: | Dark | Light | |------|-------| | Midnight | Light | | Charcoal (default) | Frost | | Slate | | | Nord | | | Graphite | | ### System Tray Minimizing the window sends it to the system tray. Dynamic tray icon changes color based on state (idle / monitoring / warning / threat). The console window is hidden automatically in GUI mode. ### Crash Recovery If PyWall is terminated while monitoring, it auto-resumes on next launch. ## CLI Mode PyWall works headless from the command line: python PyWall.py block-ip 10.0.0.5 --dir Both python PyWall.py allow-ip 8.8.8.8 --dir Outbound python PyWall.py block-port 3389 --proto TCP python PyWall.py allow-port 443 --proto TCP python PyWall.py block-program "C:\Path\to\app.exe" python PyWall.py allow-program "C:\Path\to\app.exe" python PyWall.py list-rules python PyWall.py health-check python PyWall.py status python PyWall.py export backup.json python PyWall.py import backup.json ## Configuration Settings live in `%APPDATA%/PyWall/config.json`. Key options: | Setting | Default | Description | |---------|---------|-------------| | `theme` | `Charcoal` | UI theme | | `tray` | `true` | Minimize to tray on close | | `toast` | `true` | Desktop notifications | | `toast_sec` | `10` | Auto-dismiss delay (seconds, 0 = manual) | | `start_monitoring` | `false` | Auto-start monitor on launch | | `history_days` | `30` | Connection history retention | | `threat_auto_block` | `false` | Auto-block detected threats | | `auto_block_inbound` | `true` | Block unsolicited inbound connections | | `detect_portscan` | `true` | Port scan detection | | `detect_bruteforce` | `true` | Brute force detection | | `vt_api_key` | `""` | VirusTotal API key | Full config export/import with diff preview is available in Settings. ## Requirements | Requirement | Details | |-------------|---------| | OS | Windows 10 or 11 | | Python | 3.10+ | | Privileges | Administrator (auto-elevates on launch) | ### Dependencies | Package | Purpose | |---------|---------| | `PyQt6` | GUI | | `psutil` | Process and connection enumeration | | `requests` | GeoIP, WHOIS, VirusTotal, plugin HTTP | All three auto-install on first run if missing. ## Architecture PyWall.py (~6,900 lines, single file) **Runtime files** (auto-created in `%APPDATA%/PyWall/`): config.json Settings, app profiles, blocklists history.db SQLite connection history sessions.db SQLite session tracking plugins/ User and example plugin scripts ### Internal Components | Component | Role | |-----------|------| | `FWManager` | PowerShell-backed firewall CRUD with in-memory rule name cache | | `ConnWorker` | Background thread polling `psutil.net_connections()` | | `EvtWorker` | Windows Security Event Log monitor (audit events) | | `DNSWorker` / `WhoWorker` / `GeoIPWorker` | Async resolution with LRU caches | | `ThreatDetector` | Port scan and brute force heuristics | | `AnomalyDetector` | GeoIP novelty, unusual hours, baseline deviation | | `ReputationScorer` | Multi-signal scoring (VT, signatures, blocklists, GeoIP) | | `TrafficCategorizer` | Hostname/process classification into categories | | `RuleScheduler` | Cron-like rule enable/disable scheduling | | `NetworkProfileManager` | Auto-switching between Domain/Private/Public | | `PluginManager` | Dynamic plugin loading and event dispatch | | `MainWindow` | PyQt6 GUI: 10 tabs, toasts, tray, WFC-style rule editor | ## License [MIT](LICENSE) ## Acknowledgments - [psutil](https://github.com/giampaolo/psutil) -- process and network utilities - [PyQt6](https://www.riverbankcomputing.com/software/pyqt/) -- Qt6 Python bindings - [ip-api.com](http://ip-api.com) -- GeoIP lookups - [VirusTotal](https://www.virustotal.com) -- file reputation API - Inspired by [Windows Firewall Control](https://www.binisoft.org/wfc) by Malwarebytes