AiFw
Open source · MIT licensed · Built in Rust

The modern firewall
for FreeBSD

A complete firewall platform in one Rust codebase: stateful pf rules, Suricata + Sigma + YARA IDS, WireGuard & IPsec VPN, CARP/pfsync HA, AI threat detection, and a live React dashboard. An honest alternative to pfSense and OPNsense.

Install AiFw GitHub
257
API endpoints
34
RBAC perms
5
AI detectors
6
NAT types
3
Rule formats
AiFw live dashboard with real-time CPU, memory, and network graphs
Features

Everything a firewall needs.
Nothing it doesn't.

A complete platform in one Rust binary per service. No PHP-FPM, no package sprawl, no legacy admin UIs.

Stateful firewall

FreeBSD pf with rule scheduling, aliases, and traffic shaping. Full IPv4/IPv6 and VLAN support.

pfIPv4/IPv6VLAN

WireGuard & IPsec

Native WireGuard with auto-keypair generation and per-peer config export. IPsec ESP/AH in tunnel or transport mode.

WireGuardESPAH

IDS / IPS engine

Suricata-compatible inspection with Sigma and YARA rule support — neither OPNsense nor pfSense can do this.

SuricataSigmaYARA

AI threat detection

Five behavioural detectors: port scan, DDoS, brute force, C2 beacon, and DNS tunneling. Auto-response with TTL blocks.

port-scanddosc2-beacon

Full NAT suite

SNAT, DNAT/port forwarding, masquerade, 1:1 binat, NAT64, and NAT46 — the last one is unique.

snatdnatnat64nat46

Live dashboard

WebSocket-powered real-time metrics. Connection tracking, bandwidth graphs, memory breakdown, animated NAT flow topology.

WebSocketReactNext.js

HA clustering

CARP virtual IPs, pfsync state sync, health checks, and config snapshots — failover ready out of the box.

CARPpfsynchealth-check

Granular RBAC

34 specific permissions across every subsystem. TOTP 2FA, OAuth/SSO, API keys, built-in CA for certificate issuance.

34 permsTOTPOAuth

Commit confirm

Every apply stages changes with a timer. If you don't confirm within the window, your config auto-reverts. Never lock yourself out.

auto-revertsnapshotsrollback
Screenshots

Real screens, real state

Every page below is rendered live from WebSocket data. No mockups.

AiFw main dashboard
DashboardLive system metrics, service health, and IDS summary in one view.
NAT flow topology
NAT flow topologyPer-interface pipes with throughput-scaled widths — see exactly where traffic goes.
Firewall rules editor
RulesDrag to reorder, schedule by time, group by alias. IPv4 and IPv6 side by side.
IDS/IPS dashboard
IDS / IPSSuricata, Sigma, and YARA engines on one pane. Classify, suppress, tune.
WireGuard VPN
WireGuardAuto-keypair generation, per-peer config export, live handshake tracking.
DHCP server
DHCPHA failover, reservations, live lease tracking. Powered by rDHCP.
Comparison

How it stacks up

Against the incumbents. Full matrix at /compare.

Feature
AiFw
OPNsense
pfSense
WireGuard (native)
Suricata IDS
pkg
Sigma + YARA rules
AI behavioural detection
NAT46
OAuth / SSO
Commit confirm (auto-rollback)
Modern UI stack
React/Next.js
PHP
PHP
OpenVPN
Multi-WAN load balancing
planned

See the full matrix →

Architecture

Rust all the way down

Every service is a single Rust binary. The web UI compiles to static HTML with no Node.js runtime on the appliance.

// Workspace crates
aifw-common shared types: rules, NAT, VPN, IDS, HA, geo-IP
aifw-pf pf backend trait (ioctl on FreeBSD, mock on Linux)
aifw-core engines: rules, NAT, VPN, HA, shaping, audit
aifw-ids IDS/IPS engine with Suricata + Sigma + YARA
aifw-ai 5 behavioural threat detectors
aifw-conntrack connection tracking
aifw-plugins plugin host (native Rust; WASM planned)
aifw-metrics metrics collection
aifw-api Axum REST (257 routes) + WebSocket
aifw-daemon background worker
aifw-cli `aifw` CLI — 17 subcommand groups
aifw-tui terminal UI
aifw-setup first-boot wizard

// Companion services (separate binaries)
rDNS DNS resolver
rDHCP DHCP server with HA failover
rTIME NTP/PTP time sync
TrafficCop reverse proxy (HTTP/TCP/UDP)

tokio · axum 0.8 · sqlx 0.8 · rustls 0.23 · Next.js 16 · FreeBSD 15

Install in minutes

~203 MB compressed ISO. Runs on anything FreeBSD runs on: bare metal, KVM, ESXi, bhyve, Proxmox.

Get started Latest release →