An application firewall for Linux that gives you control over outbound network connections.
Bastion intercepts outbound connections and prompts you to allow or deny them per application. It features a high-performance Rust daemon with kernel-level eBPF process tracking and a Qt 6 control panel.
NEW in v2.0.33: One-Click Auto-Update - Easily install the latest version directly from the tray icon!
Target Platform: Zorin OS 18 / Ubuntu 24.04 LTS (Debian-based distributions)
- eBPF Process Tracking - Kernel-level hooks capture process info at connection creation (~<1Β΅s latency)
- Rust Daemon - High-performance, memory-safe packet processing
- Real-time Interception - iptables NFQUEUE integration
- GUI Popups - Instant allow/deny prompts with Qt 6
- Persistent Rules - Per-application rules in
/etc/bastion/rules.json - Learning Mode - Automatic rule discovery
- System Bypass - Root and systemd traffic exempted for stability
- Status-Aware Icons - Color-coded tray icons showing connection status, learning mode, and errors
- IPv6 Support - Full IPv6 packet processing for apt, traceroute, and IPv6-enabled apps
- Identifies short-lived connections (curl, wget) that timing-based methods miss
- /proc scanning fallback for compatibility
- Connection caching with TTL
- DNS Hostname Display - Shows destination hostname in popups (e.g., "google.com" instead of just IP)
- Duration Dropdown - Choose "This Time Only", "For This Session", or "Always" for each decision
- Enhanced Logs View - Structured columns (Time, App, Destination, Action, Reason) with filtering
- Allow from Logs - Click the β icon on blocked entries to create allow rules retroactively
- Inbound Firewall Protection - Automatic UFW integration or standalone INPUT rules
- mDNS Auto-Allow - No popups for local network discovery (.local hostnames)
- LAN Broadcast Auto-Allow - Automatic allow for broadcast traffic (Steam, DLNA, printers)
- Wildcard Port Rules - Apply rules to all ports for an application (e.g., Zoom, Slack)
- Rule Search & Filtering - Quickly find rules by app name, path, port, or action
- Import/Export Rules - Backup and restore your firewall rules
- Double-Click Actions - Toggle allow/deny directly in the rules table
- App Icons - Visual identification in rules table
- One-Click Auto-Update - Install the latest version instantly from the system tray menu
Download the latest .deb package from Releases and install:
sudo dpkg -i bastion-firewall_*.deb
sudo apt-get install -f # Install dependencies if neededOr build from source:
git clone https://github.com/shipdocs/bastion-firewall.git
cd bastion-firewall
./build_deb.sh
sudo dpkg -i bastion-firewall_*.debFor development and testing:
git clone https://github.com/shipdocs/bastion-firewall.git
cd bastion-firewall
# Install dependencies
pip install -r requirements.txt
# Run tests
./run_tests.sh
# Or manually:
pip install -r test-requirements.txt
python -m pytest tests/- Linux kernel 6.0+ with BTF support (check:
ls /sys/kernel/btf/vmlinux) - eBPF support enabled in kernel
- CAP_BPF and CAP_NET_ADMIN capabilities (daemon runs as root)
- Rust 1.75+ (stable + nightly toolchain)
- clang 18+
- llvm-18-dev
- bpf-linker (
cargo install bpf-linker) - kernel headers
- Python 3.10+
- PyQt6
- psutil>=5.9.0
- pystray>=0.19.0
- Pillow>=10.2.0
Launch from the application menu or run:
bastion-guiThe system tray icon provides access to the control panel where you can:
- View and manage rules
- Switch between learning and enforcement modes
- Monitor connection logs
Configuration is stored in /etc/bastion/config.json:
{
"mode": "learning",
"timeout_seconds": 30,
"allow_localhost": true
}Application calls connect()
β
βββββββββββββββββββββββββββββββββββββββββββββββ
β Kernel: tcp_v4_connect/udp_sendmsg β
β β β
β eBPF kprobe β Capture PID + socket info β
β β β
β Store in BPF HashMap β
βββββββββββββββββββββββββββββββββββββββββββββββ
β
Packet sent β iptables NFQUEUE
β
βββββββββββββββββββββββββββββββββββββββββββββββ
β Rust Daemon (bastion-daemon) β
β - Query eBPF map (~<1Β΅s) β
β - Fallback to /proc if needed β
β - Check existing rules β
β - Send GUI popup request β
ββββββββββββββββ¬βββββββββββββββββββββββββββββββ
β Unix socket
ββββββββββββββββΌβββββββββββββββββββββββββββββββ
β Python GUI (bastion-gui) β
β - Show allow/deny popup β
β - Send decision to daemon β
β - System tray management β
βββββββββββββββββββββββββββββββββββββββββββββββ
Bastion Firewall uses a unified shield icon design with color-coded status variants for instant visual feedback:
- Connected (Green) - Firewall is active and protecting your system
- Disconnected (Gray) - Firewall is stopped or daemon is not running
- Learning Mode (Blue) - Firewall is in learning mode, automatically discovering rules
- Error (Red) - Firewall encountered an error
- Warning (Orange) - Firewall needs attention
The icon is installed to /usr/share/icons/hicolor/scalable/apps/bastion-icon.svg and follows the freedesktop.org icon theme specification.
sudo dpkg --purge bastion-firewallSee CONTRIBUTING.md for development setup and guidelines.
To create a new release (update versions, build packages, tag git, release on GitHub):
# 1. Update CHANGELOG.md with new notes
# 2. Run the release tool
./release_tool.sh 2.0.28This requires rpm and gh CLI to be installed and authenticated.
- DNS Proxy/Sniffing - Implement a local DNS proxy or eBPF DNS sniffer to attribute connections to hostnames and processes more robustly.
- Advanced Rule Grouping - Group rules by application suites or categories.
- Network Profiles - Different rule sets for Home, Work, and Public networks.
Bastion Firewall is designed with transparency and user privacy as its core principles. Below are details on technical implementations that involve system-level monitoring:
Traditional process identification (via /proc scanning) is prone to timing attacks where short-lived processes (like curl or wget) complete their network request and exit before the firewall can identify them.
- How we use it: Bastion uses kernel-level eBPF kprobes to capture process metadata at the exact nanosecond a connection is requested.
- Privacy Focus: These hooks only capture the PID and the command name (comm) of the initiating process. No other system activity is monitored.
To provide meaningful popups, the firewall needs to know that an IP like 142.250.190.46 is actually google.com.
- How we use it: The daemon captures DNS responses locally to maintain a short-lived mapping of IP addresses to hostnames.
- Privacy Focus: This mapping is entirely local, transient (cleared on exit), and is only used to populate the "Destination" field in your alerts. No browsing history is logged or transmitted.
When an application connects to a raw IP address (not via DNS), Bastion may perform an optional lookup to identify the Organization/ISP.
- How we use it: An anonymous request is sent to a public IP-API.
- Privacy Focus: These lookups are only performed for unknown IPs to provide security context. No local identity tokens or tracking information are included in these requests.
The bastion-daemon requires root privileges (CAP_NET_ADMIN and CAP_BPF) to manage iptables rules and attach eBPF probes.
- Security Design: The GUI dashboard and tray icon run as a regular user. Communication between the GUI and the root daemon occurs over a hardened Unix socket with peer credential verification (
SO_PEERCRED), ensuring only you can authorize firewall decisions.
GPL-3.0. See LICENSE for details.