FIREWALL · ROUTER APPLIANCE

firewall

An all-Rust, modular firewall & router appliance.

A capability-gated plugin system spanning Rust, Lua and Python. A declarative config is validated, encrypted at rest, compiled to an nftables ruleset and pushed to the Linux kernel — under commit-confirm with auto-rollback.

DATA PLANE · SERVICES · HA

A complete edge in one appliance

Stateful data plane

IPv4/IPv6 forward + input chains, L2 transparent bridging, NAT (SNAT/DNAT, reflection, 1:1, masquerade) and NAT64.

Routing

Static + policy routing with multi-WAN ECMP, dynamic routing (BGP / OSPF), and traffic shaping.

IDS / IPS

Inline (NFQUEUE) intrusion prevention with a selectable detection engine — bundled and ready to enforce in-line.

VPN & remote access

WireGuard with road-warrior provisioning (QR), OpenVPN, IPsec, a captive portal and automated certificates (ACME).

eBPF/XDP & threat intel

An eBPF/XDP fast-path drop list, threat-intel feeds and GeoIP country sets enforced at the line rate.

High availability

VRRP failover with config sync between peers, plus a built-in L7 load balancer — all supervised with auto-restart.

EVERYTHING INCLUDED

Full capability list

One appliance, one declarative config — from packet filtering to plugins.

Firewalling

  • Stateful IPv4 / IPv6 forward + input chains
  • L2 transparent bridging
  • NAT — SNAT/DNAT, reflection, 1:1, masquerade
  • NAT64
  • eBPF/XDP fast-path drop list

Routing

  • Static & policy routing
  • Multi-WAN with ECMP
  • Dynamic routing (BGP / OSPF)
  • Traffic shaping / QoS

Threat intelligence

  • Threat-intel feeds
  • GeoIP country sets
  • Blocklists (incl. plugin-contributed)

IDS / IPS

  • Inline (NFQUEUE) enforcement
  • Selectable detection engine

Web & load balancing

  • L7 load balancer
  • Web application firewall (WAF)

VPN & remote access

  • WireGuard (road-warrior + QR)
  • OpenVPN
  • IPsec
  • Captive portal
  • Automated certificates (ACME)

Network services

  • DHCP server
  • DNS resolver
  • Supervised (auto-restart + graceful shutdown)

High availability

  • VRRP failover
  • Config sync between peers

Security & access

  • Forced HTTPS
  • argon2 + TOTP, login lockout
  • RBAC (admin / operator / viewer)
  • Per-user audit + secret redaction
  • CSRF + security headers
  • Secrets encrypted at rest

Plugins

  • Capability-gated, default-deny host
  • Rust/WASM, Lua & Python
  • ed25519-signed over the whole directory
  • Trust-store signature verification

Config & control

  • Declarative TOML, compiled to nftables
  • Commit-confirm with auto-rollback
  • Encrypted-at-rest store + schema versioning
  • gRPC API · web UI · CLI

Ops & deploy

  • Backup / restore
  • Structured logging + metrics endpoint
  • Immutable Linux host (Secure Boot + dm-verity)
  • x86-64 and ARM (CM4)

COMMIT-CONFIRM · AUTO-ROLLBACK

A wrong rule can't lock you out

Configuration is declarative TOML, driven over a gRPC API, a server-rendered web UI, or the CLI. It is validated and compiled before it ever touches the kernel — and reverts itself if you don't confirm.

TOML configgRPC · UI · CLI
Validateschema + presets
Storeencrypted at rest
Compile→ nftables
Kernelcommit-confirm
Feature-complete and exercised end-to-end by a 35-test in-kernel suite, host unit tests, and a supply-chain gate in CI. fw-cli apply config.toml --confirm-secs 60 → fw-cli confirm

UNDER THE HOOD

Technical profile

Appliance
x86-64 and ARM (CM4) — runs on an immutable Linux host
Control plane
All-Rust — a gRPC API, a server-rendered web UI, and a CLI
Data plane
nftables ruleset + an eBPF/XDP fast-path drop list
Config
Declarative TOML, encrypted at rest, under commit-confirm with auto-rollback
Plugins
Rust / Lua / Python — ed25519-signed and capability-gated
Security
Forced HTTPS · argon2 + TOTP · lockout · RBAC (admin/operator/viewer) · per-user audit + secret redaction
Deploy
Immutable Linux host with Secure Boot + dm-verity tooling
Observability
Structured logging, a metrics endpoint, backup/restore, and schema versioning
home-routerfirewall-natrouting-multiwan dynamic-routingvpnremote-access serviceswafload-balancer threat-feedsgeoipbridgeha-cluster