easywall
GitHub ↗
Your firewall.
Your rules.
No surprises.
Linux firewall management with a web interface — built for 2026. Go, nftables via direct netlink, two-process privilege isolation, Argon2id auth. Security problems addressed at the root.
Why easywall exists
Configuring a Linux firewall is one of those tasks that sits awkwardly between "trivially easy" and "production-critical". The tools are powerful, the syntax is dense, and the consequences of getting it wrong range from "service unreachable" to "operator locked out permanently". easywall exists to make this everyday operation safe, visible, and reversible — without hiding what's actually happening in the kernel.
The problem
Linux servers and developer laptops remain high-value targets, and many hosting providers offer no upstream firewall. Configuring nftables by hand is error-prone — one wrong rule and you're locked out of your own server. Tools that simplify this are scarce, often unmaintained, and historically not built with security as the primary goal.
The backstory
The original easywall (Python/Flask/iptables) was archived in 2022 after a CVE. Two structural decisions caused that vulnerability: the entire stack ran as a single root process, and rule application went through subprocess calls to iptables with user-controlled arguments. A flaw anywhere in the web layer was a flaw in the firewall.
The rewrite
This Go rewrite addresses both root causes. Two processes with structural privilege isolation: the web UI runs unprivileged, the firewall daemon runs as root, and they speak only a typed JSON protocol over a Unix socket. Rules go to nftables via direct netlink — no nft subprocess in the apply path, no shell to escape.
Built for production, not just convenience
Most firewall-management tools optimise for speed of getting started. easywall optimises for what happens after — when the rules are running on a server you cannot easily reach, and a wrong move means a four-hour drive to a data centre or a long support ticket with your hosting provider. Every design choice in easywall traces back to that scenario.
Privilege isolation by design
The web UI process runs as an unprivileged user. It has no kernel access, no CAP_NET_ADMIN, no way to invoke nft. A vulnerability in template rendering, form parsing, or session handling cannot escalate to firewall manipulation, because the privileges live in a separate process the web UI talks to over a typed Unix socket.
No subprocess in the apply path
Rules are constructed as Go structs and applied via the google/nftables netlink library — direct kernel API, no shell to escape, no argv to inject into. The only exception is custom rules, which are passed to nft -f - over stdin (still no argv injection) and run only in the privileged core.
Reversible by inaction
Applying rules starts an acceptance timer. If you don't explicitly confirm within the window (default 120 seconds, configurable), the previous rules are restored automatically. Misconfigure a rule that locks you out of SSH? Wait. The lockout reverts. This is the commit confirmed pattern from Cisco IOS, made the default workflow.
Three-state rule storage
Rules live in three parallel sets at all times: Current (running in the kernel), Staged (your editor changes), and Backup (last-known-good). You see exactly what's pending, what's live, and what you'd revert to. No accidental kernel writes, no "did I save that?" doubt.
Auditable
Every administrative action — every rule save, apply, rollback, options change, settings change — is recorded in audit.log with a timestamp, the action type, and the user. The web UI exposes the last 200 entries, the file on disk goes back forever. Pair it with your SIEM or just tail -f it on shell.
Coexists with Docker
easywall manages its own nftables table (inet easywall) and never touches Docker's chains. You can detect Docker bridge networks automatically and whitelist them, or manage them manually. The two firewall systems do not interfere — neither writes into the other's tables.
What you get
nftables via netlink
Direct kernel API — no subprocess, no shell injection risk.
Two-step activation
Apply rules, confirm over SSH — auto-rollback on timeout.
Docker coexistence
Own table inet easywall — never touches Docker's chains.
Protection modules
SYN flood, port scan, bogon filter, ICMP flood, and more.
Audit log
Every change recorded with timestamp, action, rule type, and user.
i18n
English & German, extensible via JSON locale files.
Export / Import
Full JSON rule backups — downloadable and re-uploadable.
Demo mode
Run the UI in-memory with no daemon — perfect for evaluation.
The technical foundation
easywall is opinionated about its tech choices because each one has a security or operability story behind it. There are no surprising dependencies and nothing chosen for fashion.
nft subprocess in the apply path.net/http.CrossOriginProtection. Validates Origin and Sec-Fetch-Site on every state-changing request.Ready to try it?
Pick the path that fits your environment. The Quickstart covers Debian / Ubuntu, Docker, and a manual source install. The demo runs without root or any nftables dependency — explore the entire UI on any machine, including your laptop.
Demo credentials: demo / demo · resets every 6 hours