Your Last Line of Defense

Production-ready application firewall with a high-performance Rust daemon and kernel-level eBPF for <1ยตs process identification. Like a medieval bastion protecting a fortress, Bastion stands guard over your network connections, giving you complete control over outbound traffic.

๐ŸŽ‰ v2.0.33 Released!
NEW: One-Click Auto-Update, full IPv6 support, duration dropdown for decisions, enhanced logs view with filtering, and create allow rules from blocked entries. Plus DNS snooping, LAN broadcast auto-allow, and eBPF process tracking.
โœ… Stable Release
v2.0.33
The Auto-Update Release
Download Stable
๐Ÿงช Pre-release
v1.4.1
GUI & Tray Improvements
View Pre-releases
Get Started View on GitHub
Stable Release Latest Release Zorin OS 18 Security Hardened
๐Ÿ”’
Secure by Default
โšก
Real-time Protection
๐ŸŽฏ
Per-App Control

๐Ÿšจ The Problem

Linux by default allows ALL outbound connections. Any application can connect to any server without your knowledge or permission. This is a security risk.

โœ… The Solution

Bastion intercepts every outbound connection and shows you a GUI popup. You decide which applications can access the network - Allow or Deny, Once or Always.

Production-Ready Features

๐Ÿ”Œ

Real Packet Interception

Integrates with netfilter/iptables NFQUEUE to intercept actual packets in real-time

๐Ÿ”

eBPF Process Tracking

Kernel-level hooks capture process info at connection creation with ~<1ยตs latency - solves timing issues with short-lived connections

โšก

Rust Daemon

High-performance memory-safe daemon with eBPF + /proc fallback for maximum compatibility

๐ŸŽจ

Enhanced Context

Dialogs show Organization/ISP info for unknown IPs, reverse DNS hostnames, and risk levels.

โš™๏ธ

Control Panel

Full-featured GUI with beautiful progress dialogs, instant rule reload, and pkexec integration for secure permissions

๐Ÿ›ก๏ธ

Decoupled Architecture

Internal rule engine prevents conflicts with system firewall; UFW handles inbound, Bastion handles outbound.

โฑ๏ธ

Timeout Protection

Auto-deny after 60 seconds (configurable) to prevent hanging connections

๐Ÿ”

Learning Mode

Safe testing mode that shows popups but always allows connections. Rules are automatically saved!

๐Ÿ’พ

Auto-Save Rules

All decisions are saved immediately to disk, even in learning mode. No data loss on restart!

๐ŸŒ

Wildcard Port Rules

Allow or deny an application on ALL ports with a single rule - perfect for Zoom, Slack, Teams

๐Ÿ›ก๏ธ

Inbound Protection

Automatic inbound firewall via UFW integration or standalone INPUT rules - blocks unsolicited connections

๐Ÿ“ก

mDNS Auto-Allow

No popups for local network discovery - .local hostnames just work out of the box

๐ŸŽฏ

Interactive Installation

Guided setup with whiptail dialogs - choose mode, autostart, and start now during installation

โšก

Instant Rule Reload

Delete rules and they take effect immediately via SIGHUP - no restart needed!

Two-Process Architecture

๐Ÿ”ง Bastion Daemon (Root)

  • Intercepts packets via NetfilterQueue
  • Identifies applications via eBPF/proc
  • Checks whitelist & cached rules
  • Internal decision engine (Decoupled from UFW)
โฌ

๐Ÿ–ฅ๏ธ GUI Client (User)

  • Shows popup dialogs with DISPLAY access
  • System tray icon with menu
  • Sends decisions back to daemon
  • Control panel for management
1

Application tries to connect

โ†’
2

Packet queued to NFQUEUE

โ†’
3

Daemon identifies app

โ†’
4

GUI shows popup

โ†’
5

User decides

Quick Installation

Recommended

๐Ÿ“ฆ Install from .deb Package

# Download the latest .deb from GitHub Releases page
# Then install with:
sudo dpkg -i bastion-firewall_*.deb

# Fix dependencies if needed
sudo apt-get install -f

Download Stable All Releases

๐Ÿ”ง Build from Source

# Clone the repository
git clone https://github.com/shipdocs/bastion-firewall.git
cd bastion-firewall

# Build the package
./build_deb.sh

# Install the generated .deb
sudo dpkg -i bastion-firewall_*.deb

# Fix dependencies if needed
sudo apt-get install -f

System Requirements

OS: Ubuntu 22.04+, Debian 12+, or compatible
Kernel: Linux 6.0+ with BTF support (for eBPF)
Architecture: amd64 (x86_64)
RAM: 2GB minimum (4GB recommended)
Display: X11 or Wayland
Privileges: Root/sudo access

How to Use

1๏ธโƒฃ

Start the Firewall

Search for "Bastion Firewall" in your application menu and click to launch. The tray icon will appear automatically.

2๏ธโƒฃ

See Connection Requests

When an app tries to connect, a popup appears showing the application name, destination, and risk level.

3๏ธโƒฃ

Make Your Decision

Choose "Allow Once", "Allow Always", or "Deny". Your decision is saved and applied instantly.

4๏ธโƒฃ

Manage Rules

Open the Control Panel to view, edit, or delete saved rules. Monitor logs and adjust settings.

Screenshots

System Status

System Status

Live overview of outbound and inbound protection with real-time statistics

Firewall Rules

Firewall Rules

Manage per-application rules with allow/deny actions

Connection Logs

Connection Logs

View recent connection activity and daemon events

Settings

Settings

Configure learning mode, startup behavior, and UFW integration

Documentation

๐Ÿ“–

README

Complete overview and getting started guide
๐Ÿ”ง

Contributing

Development setup and guidelines
๐Ÿ”’

Security

Security model and reporting
๐Ÿ“ฆ

Releases

Download packages and changelog
๐Ÿ“ฆ

Releases

Download stable and pre-release versions
๐Ÿ›

Issues

Report bugs or request features

Built For

๐ŸŽฏ Ubuntu 22.04+ Debian 12+ Linux Mint 21+ Pop!_OS 22.04+ Zorin OS 17+ Elementary OS 7+

๐Ÿฐ Ready to Defend Your System?

Start protecting your Linux system with Bastion - Your Last Line of Defense.

Get Started on GitHub Download Latest