Secure by Design | Zero Trust Ready | AI‑Assisted Defense
NFTBan is an enterprise‑grade firewall management system built on Linux nftables — combining atomic rule updates, privilege separation through Polkit, and AI‑assisted threat intelligence for a resilient, self‑healing network defense layer.
⚠️ BETA TESTING | We are actively finding and fixing bugs. NOT production-ready yet. Tested on 5 lab servers. Community feedback needed from diverse environments. Report issues here.
NFTBan is founded and architected by Antonios Voulvoulis, open‑source contributor and cybersecurity architect, through an AI‑assisted but human‑supervised development workflow.
The project embraces an ethical AI collaboration philosophy — merging human creativity, accountability, and system‑design expertise with AI precision and scalability to accelerate open‑source cybersecurity innovation.
All AI‑generated content is human‑reviewed, version‑controlled, and transparently attributed in Git history. NFTBan aligns with open standards encouraged by OpenSSF and the Linux Foundation.
CentOS Stream 9/10
wget https://raw.githubusercontent.com/itcmsgr/nftban/main/scripts/distro-setup/centos.sh
sudo bash centos.sh
wget https://github.com/itcmsgr/nftban/releases/latest/download/nftban-x86_64.rpm
sudo dnf install -y nftban-x86_64.rpm && sudo nftban enableRocky Linux 8/9/10
wget https://raw.githubusercontent.com/itcmsgr/nftban/main/scripts/distro-setup/rocky.sh
sudo bash rocky.sh
wget https://github.com/itcmsgr/nftban/releases/latest/download/nftban-x86_64.rpm
sudo dnf install -y nftban-x86_64.rpm && sudo nftban enableAlmaLinux 8/9/10
wget https://raw.githubusercontent.com/itcmsgr/nftban/main/scripts/distro-setup/almalinux.sh
sudo bash almalinux.sh
wget https://github.com/itcmsgr/nftban/releases/latest/download/nftban-x86_64.rpm
sudo dnf install -y nftban-x86_64.rpm && sudo nftban enableAutomated scripts configure EPEL, CRB, and resolve common repository conflicts automatically. See docs/ROCKY-ALMA-INSTALL.md for detailed troubleshooting.
Rocky / AlmaLinux 9+ (requires EPEL + CRB)
sudo dnf install -y epel-release && sudo dnf config-manager --set-enabled crb && wget https://github.com/itcmsgr/nftban/releases/latest/download/nftban-x86_64.rpm && sudo dnf install -y nftban-x86_64.rpm && sudo nftban enableFedora (all repos included)
wget https://github.com/itcmsgr/nftban/releases/latest/download/nftban-x86_64.rpm && sudo dnf install -y nftban-x86_64.rpm && sudo nftban enableUbuntu / Debian
wget https://github.com/itcmsgr/nftban/releases/latest/download/nftban-amd64.deb && sudo dpkg -i nftban-amd64.deb && sudo apt-get install -f -y && sudo nftban enable| Platform | Architecture | Package |
|---|---|---|
| 🐧 RHEL / Rocky / Alma / Fedora | x86_64 | nftban-x86_64.rpm |
| 🐧 RHEL / Rocky / Alma / Fedora | aarch64 (ARM64) | nftban-aarch64.rpm |
| 🐧 Ubuntu 24.04+ / Debian 12+ | amd64 | nftban-amd64.deb |
| 🐧 Ubuntu 24.04+ / Debian 12+ | arm64 | nftban-arm64.deb |
Note: Packages are self-contained and verified for FHS compliance. Old versions are archived in Releases.
NFTBan simplifies Linux firewall management without sacrificing depth or safety. It empowers teams to deploy Zero‑Trust‑aligned, FHS‑compliant, and auditable firewall infrastructures in minutes.
Key Design Pillars
- 🔐 Secure by Design — Least privilege, no sudo needed
- ⚙️ Atomic Operations — Zero packet loss on rule reloads
- 🧠 AI Assistance — Adaptive threat feeds and automated healing
- 🧩 Modular Architecture — Two‑table nftables design for runtime stability
- 🧾 Compliance Built‑In — 21/21 FHS validation and continuous self‑audit
| Domain | Capability | Description |
|---|---|---|
| Security | Polkit integration | True privilege separation for CLI and system tasks |
| Protection | Whitelist‑first logic | Prevents self‑lockouts and enforces safety layering |
| Performance | Go binaries | 10–60× faster feed and GeoIP processing |
| Reliability | Auto‑heal system | Periodic integrity checks and file‑system repair |
| Visibility | Audit logging | Every action attributed, verifiable, and reversible |
NFTBan's design philosophy: Security is a process — automation should reinforce, not replace, human judgment.
┌───────────────────────────────┐
│ inet nftban_runtime │ ← Temporary bans / Fail2ban integration
│ • Persistent across reloads │
└───────────────────────────────┘
↓
┌───────────────────────────────┐
│ inet nftban_main │ ← Permanent rules, atomic updates
│ • Whitelist + Blacklist sets │
│ • Port policy definitions │
└───────────────────────────────┘
Highlights
- Runtime bans survive reloads (no service restarts)
- Atomic commits prevent partial rule failure
- Blacklist evaluated before port allow‑lists
- Full drop‑by‑default policy with explicit trust exceptions
sudo nftban setup # Interactive guided configuration
sudo nftban status # View system status
sudo nftban health check # Run diagnostics and auto‑healCommon tasks:
nftban ban 1.2.3.4 # Block IP (safe ban)
nftban unban 1.2.3.4 # Remove ban
nftban firewall reload # Atomic reload (no downtime)Traditional firewalls either favor convenience over safety or require expert‑level configuration. NFTBan aims to merge both worlds — a platform where any administrator can operate safely and engineers retain fine‑grained control.
Current Features (Beta):
- 🔧 Zero Trust Privilege Model with Polkit (testing in progress)
- 🔧 Automatic self‑healing for critical paths (under development)
- 🔧 AI‑curated threat feeds and GeoIP filtering (bugs being fixed)
- ✅ Compliant with Linux Foundation FHS standards
- 🔧 Optimized for automation, monitoring, and CI/CD pipelines (in progress)
We're finding and fixing bugs daily. Your testing and feedback are critical for production readiness.
NFTBan is developed through ethical AI collaboration that unites human creativity and machine precision under transparent governance.
Development Partners
| Partner | Role |
|---|---|
| 🤝 ChatGPT (OpenAI) | Architecture & Design Planning |
| ⚙️ Claude Code (Anthropic) | Implementation & Testing |
| 🧠 Claude AI (Anthropic) | Review & Optimization |
All AI-generated code and text are human-reviewed, version-controlled, and fully attributed in Git history. This project aligns with ethical collaboration standards promoted by OpenSSF and Linux Foundation initiatives.
License: Mozilla Public License 2.0 (MPL‑2.0) Copyright © 2024–2026 NFTBan Project / Antonios Voulvoulis Trademark: "NFTBAN" and logo are registered marks of Antonios Voulvoulis. Free for personal & commercial use under MPL‑2.0 terms.
We welcome thoughtful contributions from both human and AI‑assisted developers.
git clone https://github.com/itcmsgr/nftban.git
git checkout -b feature/<name>
# build, test, and commit with signed‑off‑by linesRead CONTRIBUTING.md for details.
Empowering system administrators with simple, auditable, intelligent security.
🌐 nftban.com • 🐛 Report Issue