FreeBSD firewall,rebuilt in Rust.
Stateful pf, NAT, IDS/IPS, DNS, DHCP, VPN, reverse proxy, NTP — one Rust codebase. Optional AI threat detection. No cloud, no telemetry.
Why a New Firewall?
The pf ecosystem deserves a modern codebase.
Paying for firewall "premium" features?
Many commercial firewalls gate IDS/IPS, GeoIP, or reporting behind subscriptions. AiFw ships every feature free under MIT.
Worried about cloud telemetry?
Modern firewall vendors quietly phone home for "threat intel" and "updates." AiFw has zero cloud dependency and zero telemetry — everything runs on your hardware.
Tired of legacy daemons glued together?
Most pf-based distributions stitch together a PHP UI, perl scripts, and decade-old C daemons. AiFw is one Rust codebase across every component.
Curious about ML-based threat detection?
The optional AI module runs experimental detectors for port scans, DDoS, brute force, C2 beacons, and DNS tunneling — locally, with no data leaving your box. It's a WIP, opt-in, and disabled by default.
A Firewall — and Then Some.
All Free.
Everything a pf-based gateway needs, plus IDS/IPS, DNS, DHCP, VPN, reverse proxy, and NTP.
Stateful pf Firewall
Built directly on FreeBSD's pf with anchor isolation. Connection tracking, real-time state table monitoring, top talkers, and protocol breakdown.
NAT (Every Flavour)
SNAT, DNAT/RDR, masquerade, binat, NAT64 and NAT46. Port forwarding, 1:1 mappings, and dual-stack translation handled in one place.
IDS / IPS
Suricata-compatible intrusion detection and prevention. Manage rulesets from the UI, watch live alerts, and drop on match.
DNS, DHCP, NTP
Caching DNS resolver, multi-subnet DHCP server with reservations and leases, and an NTP/PTP time service — all from the same web UI.
VPN + Reverse Proxy
WireGuard and IPsec for site-to-site and remote-access. Built-in reverse proxy for publishing internal HTTP services with TLS.
Traffic Shaping & Geo-IP
CoDel, HFSC, and PriQ queues for QoS. Per-IP overload tables and SYN flood protection. Country-level allow/block lists for Geo-IP filtering.
AI / ML Threat Detection
Local detectors for the patterns signatures miss. Disabled by default — turn them on when you want them.
The AI module is a work in progress. It runs locally, never reaches out to the cloud, and the Threats page in the UI reflects its current WIP status.
Boring Foundations, Modern Code
AiFw vs. The Rest
| Feature | AiFw Free (MIT) | pfSense Plus $129+/yr | OPNsense Free / Business | Commercial NGFW $$$$/yr |
|---|---|---|---|---|
| License | MIT (everything free) | Proprietary (Plus) | BSD-2 | Proprietary |
| IDS/IPS | Included | Snort/Suricata Pkg | Suricata | Subscription |
| ML Threat Detection | Optional (WIP) | No | No | Cloud-Based |
| Cloud Telemetry | None | Some | Opt-in | Mandatory |
| Web UI | Modern Rust UI | PHP | PHP | Vendor |
| VPN | WireGuard + IPsec | OpenVPN/IPsec/WG | OpenVPN/IPsec/WG | Included |
| Geo-IP Filtering | Free | Subscription | Free | Subscription |
| Platform | FreeBSD 15 | FreeBSD | HardenedBSD | Appliance |
Run It on Your Hardware. Keep Your Data.
No subscriptions, no cloud check-ins, no per-feature licensing. AiFw runs on FreeBSD 15.x — install it on the box you already own.