🏰 Your Last Line of Defense

Production-ready application firewall built for Zorin OS 18. Like a medieval bastion protecting a fortress, Bastion stands guard over your network connections, giving you the control you had on Windows.

✅ Stable Release

v1.4.0

Major Security Audit Release

Download Stable

🧪 Pre-release

v1.4.1

GUI & Tray Improvements

View Pre-releases

Get Started View on GitHub

🔒

Secure by Default

⚡

Real-time Protection

🎯

Per-App Control

🚨 The Problem

Linux by default allows ALL outbound connections. Any application can connect to any server without your knowledge or permission. This is a security risk.

✅ The Solution

Bastion intercepts every outbound connection and shows you a GUI popup. You decide which applications can access the network - Allow or Deny, Once or Always.

Production-Ready Features

🔌

Real Packet Interception

Integrates with netfilter/iptables NFQUEUE to intercept actual packets in real-time

🔍

Application Identification

Matches packets to processes via /proc filesystem for accurate app detection

⚡

Fast Decision Engine

Cached rules provide instant decisions for known connections

🎨

Beautiful GUI

Enhanced dialogs show hostname, port description, process info, and risk level

⚙️

Control Panel

Full-featured GUI with beautiful progress dialogs, instant rule reload, and pkexec integration for secure permissions

🛡️

Decoupled Architecture

Internal rule engine prevents conflicts with system firewall; UFW handles inbound, Bastion handles outbound.

⏱️

Timeout Protection

Auto-deny after 30 seconds (configurable) to prevent hanging connections

🔐

Learning Mode

Safe testing mode that shows popups but always allows connections. Rules are automatically saved!

💾

Auto-Save Rules

All decisions are saved immediately to disk, even in learning mode. No data loss on restart!

🎯

Interactive Installation

Guided setup with whiptail dialogs - choose mode, autostart, and start now during installation

⚡

Instant Rule Reload

Delete rules and they take effect immediately via SIGHUP - no restart needed!

Two-Process Architecture

🔧 Bastion Daemon (Root)

Intercepts packets via NetfilterQueue
Identifies applications via eBPF/proc
Checks whitelist & cached rules
Internal decision engine (Decoupled from UFW)

⬍

🖥️ GUI Client (User)

Shows popup dialogs with DISPLAY access
System tray icon with menu
Sends decisions back to daemon
Control panel for management

Application tries to connect

→

Packet queued to NFQUEUE

→

Daemon identifies app

→

GUI shows popup

→

User decides

Quick Installation

Recommended

📦 Install from .deb Package

# Download the latest .deb from GitHub Releases page
# Then install with:
sudo dpkg -i bastion-firewall_*.deb

# Fix dependencies if needed
sudo apt-get install -f

Download Stable All Releases

🔧 Build from Source

# Clone the repository
git clone https://github.com/shipdocs/bastion-firewall.git
cd bastion-firewall

# Build the package
./build_deb.sh

# Install the generated .deb
sudo dpkg -i bastion-firewall_*.deb

# Fix dependencies if needed
sudo apt-get install -f

System Requirements

OS: Zorin OS 18 (or any Debian-based distribution)

Python: 3.6 or higher

Display: X11 or Wayland

Privileges: Root/sudo access

How to Use

1️⃣

Start the Firewall

Search for "Bastion Firewall" in your application menu and click to launch. The tray icon will appear automatically.

2️⃣

See Connection Requests

When an app tries to connect, a popup appears showing the application name, destination, and risk level.

3️⃣

Make Your Decision

Choose "Allow Once", "Allow Always", or "Deny". Your decision is saved and applied instantly.

4️⃣

Manage Rules

Open the Control Panel to view, edit, or delete saved rules. Monitor logs and adjust settings.

Screenshots

System Status

Live overview of outbound and inbound protection with real-time statistics

Firewall Rules

Manage per-application rules with allow/deny actions

Connection Logs

View recent connection activity and daemon events

Settings

Configure learning mode, startup behavior, and UFW integration