What is NetClamp

NetClamp is a Windows per-application network firewall and bandwidth governor. It lets you block, allow, or rate-limit any executable’s network traffic via WFP filters and an optional kernel-mode shaper.

What it does

Capability Means

Capability	Means
Block per app	`BLOCK BOTH` rule on `C:\\Path\\To\\App.exe` stops it from reaching any network endpoint, in either direction.
Allow per app, narrow by address/port/protocol	`ALLOW` with `remote_address`, `remote_port`, `protocol=TCP\|UDP` lets the app talk only to the endpoints you whitelist.
Rate-limit bandwidth	`RATE_LIMIT` with `down_bytes_per_sec` and/or `up_bytes_per_sec` caps throughput. The kernel driver enforces precisely; the userspace hysteresis fallback is coarser but always available.
Hourly / daily / weekly / monthly quotas	Cumulative byte budgets per app. Hitting a quota emits an SSE alert and (optionally) flips a paired rule from `ALLOW` to `RATE_LIMIT`.
Rule groups + HTTPS subscriptions	JSON bundles of rules + quotas, installable from disk or auto-refreshed from a signed HTTPS URL. Useful for shared base configs across a fleet.

Block per app

BLOCK BOTH rule on C:\\Path\\To\\App.exe stops it from reaching any network endpoint, in either direction.

Allow per app, narrow by address/port/protocol

ALLOW with remote_address, remote_port, protocol=TCP|UDP lets the app talk only to the endpoints you whitelist.

Rate-limit bandwidth

RATE_LIMIT with down_bytes_per_sec and/or up_bytes_per_sec caps throughput. The kernel driver enforces precisely; the userspace hysteresis fallback is coarser but always available.

Hourly / daily / weekly / monthly quotas

Cumulative byte budgets per app. Hitting a quota emits an SSE alert and (optionally) flips a paired rule from ALLOW to RATE_LIMIT.

Rule groups + HTTPS subscriptions

JSON bundles of rules + quotas, installable from disk or auto-refreshed from a signed HTTPS URL. Useful for shared base configs across a fleet.

Who it’s for

Power users who want to know exactly which app is using their bandwidth and clamp the noisy ones.
Developers and SREs who need scripted, per-app limits — the CLI and REST API expose everything the SPA does.
Small-team admins using rule subscriptions to push a curated set of "block dev/test from prod IPs" rules to multiple machines.

Who it’s not for

Whole-machine firewall — that’s Windows Firewall’s job. NetClamp sits alongside it; the two compose cleanly.
Network-wide policy — NetClamp is host-local. For LAN-level control, use an OPNsense / pfSense gateway.
macOS / Linux — NetClamp is Windows-only by design. The Windows Filtering Platform (WFP) does the heavy lifting and has no portable equivalent.

How it compares

NetLimiter (commercial) — closest peer. NetClamp adds quotas, signed rule subscriptions, a credit-based licence model (no subscriptions), and a documented REST/gRPC API.
GlassWire — visualisation-only. NetClamp can both see and enforce.
Windows Firewall — block/allow per app, but no rate limiting, no quotas, no per-app rate metering, no rule subscriptions.

What you install

A single signed installer drops:

A background service that does the work and serves the local web UI.
A tray icon for at-a-glance up/down rates and a quick-throttle flyout.
A netclamp command-line tool for scripting.
A local API (REST + gRPC) on loopback addresses, bearer-token authenticated.

Nothing phones home. Everything runs on the local machine.

Status

NetClamp is currently pre-release. Pricing, the installer download, and the signed kernel driver are all in flight. Watch netclamp.com for the public launch.