Firewall Builder (fwbuilder) has no nftables support and has not been actively developed for years. FirewallFabrik is its modern successor: a complete rewrite in Python and Qt6 with native nftables support, seamless migration of existing .fwb files, and a GUI that feels just like the original.
Anyone who manages firewalls centrally is probably familiar with Firewall Builder (fwbuilder). For over 20 years, this open-source tool has provided a convenient graphical interface for creating and managing firewall rules. It supports multiple target platforms such as iptables, pf, and Cisco PIX. Originally developed by NetCitadel, fwbuilder has made daily work easier for many administrators over the years.
At the same time, things have moved on. The existing codebase in C++ and Qt5 has aged, and with RHEL 10 a paradigm shift is underway that pushes fwbuilder to its limits: iptables is deprecated and no longer being developed.
Against this backdrop, we at Linuxfabrik created FirewallFabrik, the modern successor to Firewall Builder. The goal was to preserve the best of fwbuilder while being ready for the future, especially with regard to nftables.
In RHEL 9, Red Hat marked iptables and the related packages iptables-nft and ipset as deprecated. In RHEL 10, the packages are still available in the AppStream, but Red Hat has moved the associated kernel modules to the kernel-modules-extra package - they are no longer installed by default. Furthermore, iptables is classified as unmaintained and will be removed entirely in a future RHEL release. Anyone running RHEL 10 or distributions based on it, such as AlmaLinux or Rocky Linux, should migrate to nftables or firewalld with the nftables backend sooner rather than later.
This does not just affect individual rules on individual servers. It is particularly relevant for environments where dozens or hundreds of firewalls are managed centrally. Firewall Builder has been widely used in such environments - and this is exactly where FirewallFabrik comes in.
Firewall Builder itself has no nftables support. Porting nftables into the existing C++ codebase would have been laborious and offered little long-term viability. For this reason, we decided to rebuild the project from scratch.
FirewallFabrik is a complete rewrite of Firewall Builder, implemented in Python and Qt6. The goal was clearly defined: the same proven GUI concept, combined with a modern technology stack and native nftables support.
It was particularly important to us that FirewallFabrik feels just like Firewall Builder. The window layout, the object tree, the dialogs, and the drag-and-drop behaviour follow the familiar concept. Anyone who knows fwbuilder will find their way around FirewallFabrik immediately, without retraining and without additional learning effort. Under the hood everything is new; the interface remains familiar.
In practice, this means: you model hosts, networks, services, and interfaces as named objects, organize them in libraries, and drag them into policy, NAT, and routing rules. FirewallFabrik then compiles these rules into ready-to-use shell scripts, for iptables or nftables. The generated scripts can be deployed to target firewalls via the built-in SSH installer, manually, or through your own automation (Ansible, Terraform, CI/CD).
Installation is straightforward, quickest with uv:
uvx --from 'firewallfabrik[gui]' fwfAlternatively, install permanently via uv tool install, pipx install, or pip install --user, each with the [gui] extra for the graphical interface. If you only need the CLI compilers (fwf-ipt, fwf-nft), you can install without [gui]. On Linux systems, you can optionally use the distribution's native PySide6 package (e.g. python3-pyside6 on Fedora). A .desktop file and MIME type definitions for application menu and file manager integration are also included.
The central argument for FirewallFabrik is nftables support as a target platform. The nftables compiler (fwf-nft) can translate policies directly into nftables rules. nftables has been available since RHEL 8 and is the standard on all current Linux distributions - FirewallFabrik covers both current and future environments without workarounds or additional compatibility layers.
nftables offers several technical advantages over iptables:
fwbuilder stored everything in a single XML file (.fwb). FirewallFabrik uses YAML (.fwf) instead: human-readable, diff-friendly, and ideal for Git. Diffs clearly show what has changed, and any text editor or script can work with the format.
FirewallFabrik uses all available CPU cores and compiles multiple firewalls simultaneously. The CLI compilers (fwf-ipt and fwf-nft) accept multiple firewall names at once and offer an --all flag to compile all firewalls of the respective platform in a single run. The database is loaded only once - regardless of the number of firewalls.
Under the hood, everything has changed. The codebase is Python 3.14 instead of C++, the GUI uses Qt6 (PySide6) instead of Qt5. Internally, FirewallFabrik works with an SQLite database and SQLAlchemy as ORM - this means fast queries instead of XML traversal, referential integrity through database constraints, and full undo/redo with history snapshots. The built-in RCS integration from fwbuilder has been replaced by what is standard today: YAML files in Git.
The included service library has been expanded with practical entries, including Collabora Online, Icinga, Nextcloud notify_push, WinRM, and FreeIPA. Additional service definitions can be created at any time.
.fwb to .fwfAnyone already working with Firewall Builder does not have to start from scratch. FirewallFabrik can read all existing .fwb files in XML format and convert them directly into the new .fwf format. All objects, policies, interfaces, and references are correctly transferred.
There is no migration process as such: the .fwb file is opened, and from that point on everything is saved exclusively in the new .fwf format. No manual migration steps are required. You can get started right away.
Ansible, Terraform, and CI/CD pipelines are the standard for distributing configurations today. Anyone managing their infrastructure as code rightly asks: why a GUI tool when I can roll out firewall rules as an Ansible role or Terraform module?
The answer: because automation tools solve a different problem than FirewallFabrik. Ansible reliably delivers configurations to target systems - it answers the question "How does the rule get onto the firewall?". FirewallFabrik answers the question that comes before: "Which rules do I need, and are they correct?"
Anyone running more than five to ten (host) firewalls faces a challenge that no Ansible playbook alone can solve: maintaining the overview. Which rules apply where? Which servers are allowed to communicate with which services? Is a particular firewall rule shadowed by a preceding one? Does any rule still reference the server that was decommissioned last week?
FirewallFabrik makes exactly this visible:
In practice, GUI and automation complement each other:
FirewallFabrik generates shell scripts that are idempotent: they set up the complete rule set from scratch on every run, regardless of the firewall's previous state. The result is always the same. This property makes them ideal for automated deployments, whether via Ansible playbook, GitLab CI pipeline, or plain scp && ssh.
This also works in the other direction: the .fwf file is human-readable YAML and can be created or edited directly with scripts or automation tools. A CMDB export, an Ansible playbook, or a custom script can generate the YAML file, and a human can then visualize, review, and refine it in the GUI. FirewallFabrik is thus open in both directions: GUI-to-script and script-to-GUI.
FirewallFabrik offers the full feature set you would expect from a professional firewall management tool:
In a rewrite, it is important to stay focused. We have therefore deliberately not carried over some features from fwbuilder:
git revert restores objects including all their references.FirewallFabrik is aimed at administrators and teams who:
As always, when our blog goes quiet, we are busy writing software rather than writing about it. :) FirewallFabrik is developed at Linuxfabrik, a Swiss company specializing in Linux and open source. It is open source (GPLv2) and thrives on community involvement. Pull requests are always welcome, whether for bug fixes, new features, or porting additional platform compilers.
The project can be found on GitHub at https://github.com/Linuxfabrik/firewallfabrik