{"id":49330683,"url":"https://github.com/jp1337/easywall","last_synced_at":"2026-04-26T22:01:00.443Z","repository":{"id":353918469,"uuid":"81577124","full_name":"jp1337/easywall","owner":"jp1337","description":"Easy-to-use web interface for nftables firewall management on Linux — written in Go","archived":false,"fork":false,"pushed_at":"2026-04-26T09:10:23.000Z","size":3756,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-04-26T09:27:31.121Z","etag":null,"topics":["debian","easy-to-use","firewall","go","golang","linux","nftables","security","self-hosted","webinterface"],"latest_commit_sha":null,"homepage":"https://jp1337.github.io/easywall","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jp1337.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":"jp1337","ko_fi":"jpylypiw","custom":["https://paypal.me/JPylypiw"]}},"created_at":"2017-02-10T15:15:03.000Z","updated_at":"2026-04-26T09:10:28.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/jp1337/easywall","commit_stats":null,"previous_names":["jp1337/easywall"],"tags_count":12,"template":false,"template_full_name":null,"purl":"pkg:github/jp1337/easywall","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jp1337%2Feasywall","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jp1337%2Feasywall/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jp1337%2Feasywall/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jp1337%2Feasywall/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jp1337","download_url":"https://codeload.github.com/jp1337/easywall/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jp1337%2Feasywall/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32314116,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-26T21:09:39.134Z","status":"ssl_error","status_checked_at":"2026-04-26T21:09:21.240Z","response_time":129,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["debian","easy-to-use","firewall","go","golang","linux","nftables","security","self-hosted","webinterface"],"created_at":"2026-04-26T22:00:54.182Z","updated_at":"2026-04-26T22:01:00.434Z","avatar_url":"https://github.com/jp1337.png","language":"Go","readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"web/static/icon.svg\" alt=\"easywall logo\" width=\"96\" height=\"96\"\u003e\n\u003c/p\u003e\n\n# 🔥 easywall\n\n[![Build](https://github.com/jp1337/easywall/actions/workflows/test.yml/badge.svg)](https://github.com/jp1337/easywall/actions/workflows/test.yml)\n[![Security](https://github.com/jp1337/easywall/actions/workflows/security.yml/badge.svg)](https://github.com/jp1337/easywall/actions/workflows/security.yml)\n[![codecov](https://codecov.io/gh/jp1337/easywall/graph/badge.svg)](https://codecov.io/gh/jp1337/easywall)\n[![License: GPL v3](https://img.shields.io/badge/license-GPL--3.0-blue?logo=opensourceinitiative\u0026logoColor=white)](https://www.gnu.org/licenses/gpl-3.0)\n[![Go](https://img.shields.io/badge/Go-1.25+-00ADD8?logo=go\u0026logoColor=white)](https://go.dev)\n[![nftables](https://img.shields.io/badge/nftables-direct%20netlink-informational?logo=linux\u0026logoColor=white)](https://netfilter.org/projects/nftables/)\n[![GitHub Sponsors](https://img.shields.io/badge/sponsor-GitHub-ea4aaa?logo=github-sponsors\u0026logoColor=white)](https://github.com/sponsors/jp1337)\n[![Ko-fi](https://img.shields.io/badge/support-Ko--fi-ff5e5b?logo=ko-fi\u0026logoColor=white)](https://ko-fi.com/jpylypiw)\n[![PayPal](https://img.shields.io/badge/donate-PayPal-003087?logo=paypal\u0026logoColor=white)](https://paypal.me/JPylypiw)\n\n\u003e *Your firewall. Your rules. No surprises.*\n\n**Linux firewall management with a web interface — built for 2026.**\n\nA complete rewrite of the original easywall (Python/Flask/iptables, archived after a CVE). New architecture: Go, nftables via direct netlink, two-process isolation, Argon2id auth — security problems addressed at the root.\n\n📖 **Documentation:** [jp1337.github.io/easywall](https://jp1337.github.io/easywall)\n\n---\n\n## 🏗️ Architecture\n\n```\nBrowser  ──HTTPS──►  easywall-web   (user: easywall, unprivileged)\n                           │\n                    Unix socket (mode 0660, group easywall)\n                    Typed JSON protocol\n                           │\n                     easywall-core  (root, CAP_NET_ADMIN only)\n                           │\n                    nftables kernel (via direct netlink — no nft subprocess)\n```\n\nThe web process **never touches the firewall directly**. All changes go through a typed socket protocol to a privileged core daemon — privilege escalation from the web process is structurally impossible.\n\n---\n\n## ✨ Features\n\n- **nftables backend** — direct netlink API via `google/nftables`, no subprocess, no shell, no injection risk\n- **Two-step activation** — apply rules, then confirm over SSH within a configurable window; auto-rollback on timeout\n- **Docker coexistence** — own table `inet easywall`, never touches Docker's chains; auto-detects bridge networks\n- **TCP/UDP port management** — with descriptions and SSH brute-force routing per rule\n- **IP blacklist \u0026 whitelist** — IPv4/IPv6 CIDRs, applied before any other rules\n- **Port forwarding** — NAT rules with protocol selection\n- **Custom rules** — raw nftables syntax, validated before apply\n- **Export / Import** — full JSON rule backups, downloadable and re-uploadable\n- **i18n** — English \u0026 German, extensible via `locales/\u003clang\u003e.json`\n- **Light / Dark mode** — follows OS preference, manual toggle available\n\n### 🛡️ Protection Modules\n\n| Module | Default | Description |\n|---|---|---|\n| SSH brute-force | ✅ on | Connection limit per source IP |\n| ICMP flood | ✅ on | Rate-limit per source IP |\n| SYN flood | ✅ on | Rate-limit new TCP connections |\n| Port scan | ✅ on | Drops NULL, FIN, XMAS, SYN+FIN probes |\n| Invalid packets | ✅ on | `ct state invalid` → DROP |\n| IP fragments | off | Drop fragmented packets |\n| Bogon filter | off | RFC-1918 from external interface → DROP |\n| Connection limit | off | Max simultaneous connections per source IP |\n| TCP RST flood | off | Rate-limit RST packets |\n| Broadcast drop | off | `pkttype broadcast` → DROP |\n| Multicast drop | off | `pkttype multicast` → DROP |\n\n---\n\n## 🛠️ Tech Stack\n\n| Component | Choice | Notes |\n|---|---|---|\n| **Language** | Go 1.25 | Single-binary, no runtime dependencies |\n| **HTTP router** | `go-chi/chi/v5` | Lightweight, idiomatic middleware chain |\n| **Templates** | `html/template` (stdlib) | Auto-escaping — XSS structurally prevented |\n| **nftables** | `google/nftables` | Direct netlink — no `nft` subprocess |\n| **Password hashing** | `golang.org/x/crypto` Argon2id | Memory-hard, resistant to GPU cracking |\n| **Sessions** | `gorilla/sessions` | HMAC-signed cookies, 600s lifetime |\n| **CSRF** | `net/http.CrossOriginProtection` | Go 1.25 native, no form tokens needed |\n| **Rate limiting** | `golang.org/x/time/rate` | Token bucket, per-IP on `/login` |\n| **i18n** | `go-i18n/v2` | JSON message files |\n| **Config** | `BurntSushi/toml` + JSON Schema | `taplo.toml` for editor autocomplete |\n| **Security scan** | `govulncheck` + `gosec` | CVE + security linter in CI |\n\n---\n\n## 🚀 Quick Start\n\n### Debian / Ubuntu\n\n```bash\nwget https://github.com/jp1337/easywall/releases/latest/download/easywall_amd64.deb\nsudo dpkg -i easywall_amd64.deb \u0026\u0026 sudo apt-get install -f\nxdg-open https://localhost:12227\n```\n\n### Docker\n\n```bash\ngit clone https://github.com/jp1337/easywall.git\ncd easywall\ndocker compose up -d\nxdg-open https://localhost:12227\n```\n\n### Manual (from source)\n\n#### 1. Prerequisites\n\n- Linux kernel ≥ 3.13 with nftables (`apt install nftables`)\n- Go 1.25+\n\n#### 2. Build\n\n```bash\ngit clone https://github.com/jp1337/easywall.git\ncd easywall\nmake build\n# Produces: bin/easywall-core  bin/easywall-web\n```\n\n#### 3. Install\n\n```bash\nsudo make install\nsudo systemctl enable --now easywall-core easywall-web\nxdg-open https://localhost:12227\n```\n\nThe first visit opens the **setup wizard** to set your username and password.\n\n---\n\n## 📖 Documentation\n\nFull documentation at **[jp1337.github.io/easywall](https://jp1337.github.io/easywall)**\n\n| Guide | Description |\n|---|---|\n| [Requirements](https://jp1337.github.io/easywall/installation/requirements/) | Kernel version, distro compatibility matrix |\n| [Debian / Ubuntu](https://jp1337.github.io/easywall/installation/debian/) | `.deb` package install |\n| [Docker](https://jp1337.github.io/easywall/installation/docker/) | Docker Compose setup, `network_mode: host` |\n| [Manual](https://jp1337.github.io/easywall/installation/manual/) | Build from source |\n| [Configuration](https://jp1337.github.io/easywall/configuration/) | All TOML keys explained, JSON Schema |\n| [Firewall Filters](https://jp1337.github.io/easywall/features/filters/) | Protection modules in detail |\n| [Docker Coexistence](https://jp1337.github.io/easywall/features/docker/) | How easywall and Docker live together |\n| [Export \u0026 Import](https://jp1337.github.io/easywall/features/export-import/) | JSON rule backups |\n| [Security Model](https://jp1337.github.io/easywall/security/) | Two-process isolation, CVE history |\n\n---\n\n## 🔐 Security\n\neasywall takes a **layered security approach** — each layer independently limits blast radius:\n\n| Threat | Mitigation |\n|---|---|\n| Rule/command injection | Direct netlink API (no subprocess, no string-building) + typed Go structs |\n| Privilege escalation | Web process runs as unprivileged `easywall` user — no root access |\n| Auth brute-force | Rate-limiting on `/login` (5 req / 10 min per IP), Argon2id |\n| CSRF | `net/http.CrossOriginProtection` (Go 1.25 native) |\n| XSS | `html/template` auto-escaping + `Content-Security-Policy` header |\n| Session hijacking | HTTPS-only cookie, `SameSite=Lax` |\n| Lockout | Two-step activation with auto-rollback — bad rules can't lock you out permanently |\n| Known CVEs | `govulncheck` in CI (weekly + every PR) |\n\nReport vulnerabilities via [GitHub Security Advisories](https://github.com/jp1337/easywall/security/advisories/new) — not as public issues. See [SECURITY.md](SECURITY.md).\n\n---\n\n## 📦 Project Status\n\n| Phase | Status | Description |\n|---|---|---|\n| Phase 1 — Foundation | ✅ Done | Go module, shared types, IPC protocol, version check |\n| Phase 2 — Core Daemon | ✅ Done | nftables backend, rules storage, acceptance, Docker coexistence |\n| Phase 3 — Web Backend | ✅ Done | chi router, Argon2id auth, session management, all handlers |\n| Phase 4 — Web Frontend | ✅ Done | Templates, CSS custom properties, HTMX, light/dark mode |\n| Phase 5 — Deployment | ✅ Done | systemd units, Docker multi-stage, Debian package |\n| Phase 6 — Documentation | ✅ Done | MkDocs Material, GitHub Pages, custom theme |\n| Phase 7 — CI/CD | ✅ Done | Test, Security, Build, Release, Docs workflows |\n\n### Roadmap\n\n| Feature | Notes |\n|---|---|\n| 2FA / TOTP | Second factor for the web UI |\n| Let's Encrypt ACME | Automatic TLS certificates without a reverse proxy |\n| GeoIP blocking | Country-based rules (requires GeoIP database) |\n| REST API | For Ansible and automation integrations |\n\n---\n\n## 🤝 Contributing\n\neasywall is open source and welcomes contributions. See [CONTRIBUTING.md](CONTRIBUTING.md) for setup, commit conventions (Conventional Commits), and the PR process.\n\n---\n\n## 📜 License\n\nGPL-3.0 — see [LICENSE](LICENSE) for details.\n\n---\n\n*A rewrite that treats the root causes, not the symptoms.*\n","funding_links":["https://github.com/sponsors/jp1337","https://ko-fi.com/jpylypiw","https://paypal.me/JPylypiw"],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjp1337%2Feasywall","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjp1337%2Feasywall","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjp1337%2Feasywall/lists"}