A lightweight control plane for managing firewalls, DNS protection, and threat filtering across Linux, macOS, and Windows. Agent-based. Declarative. Zero-trust from day one.
No bloated agents, no SaaS lock-in. Firewall enforcement, DNS threat filtering, and Sophos integration — from one control plane.
Lightweight Go agents run on each host across Linux, macOS, and Windows. No network tap — enforcement happens at the edge where it matters.
ACL allow/deny and rate-limit rules with per-second burst control. Define desired state once; agents converge and self-heal on drift.
Block malware, phishing, C2, TOR exit nodes, and content categories via a built-in DNS proxy. Custom HTML block pages per agent or group.
Organize agents into groups. Apply firewall rules, web lists, and block-page configs at fleet scope — one change enforces everywhere.
Heartbeats every 5 seconds. Per-rule telemetry tracks applied count, allowed packets, and filtered packets — all in one pane.
Zero-trust onboarding. Each token is consumed on first use. No shared secrets, no credential reuse, no lingering access.
Sync rules bidirectionally with Sophos appliances via XML API or discover via Sophos Central REST. Credentials encrypted with AES-256-GCM.
Every registration, rule change, and config push is recorded. Complete observability into who changed what and when.
Built on nftables with automatic backend detection. Modern Linux firewall management with per-rule packet counters, no iptables shims.
From zero to enforced in minutes, not days.
Create your account and get into the dashboard in minutes. From there, every agent, group, rule, and web policy is managed from one control plane.
Generate a one-time installation token for a new device. Use it to register agents securely without pre-baking credentials into your hosts.
Sort agents into groups by team, site, or workload. Shared firewall rules, DNS lists, and block pages can then be applied once across the entire group.
Create firewall rules, rate limits, and DNS protection policies, then roll them out fleet-wide. Agents pull the latest config automatically and enforce it locally.
Three components, one contract. The dashboard pushes config, agents pull and enforce — nftables, DNS proxy, block page, and IP reputation all in one binary.
Nuxt 4 control plane. Manage agents, groups, rules, web lists, block pages, and Sophos integrations.
Shared schema. Source of truth for every payload between dashboard and agent.
Standalone Go binary. Registers once, heartbeats every 5 s, enforces nftables, DNS proxy, and block page locally.
Self-host the control plane, deploy agents to your fleet, and manage firewalls, DNS protection, and threat filtering the way they should be — declaratively.