Stateful nftables firewall with per-VM policy enforcement
Every Tophan node runs a stateful nftables firewall managed centrally through Dragon’s Eye. Firewall policies are defined per VM, per network zone, or globally — and they follow the VM during live migration. No more spreadsheets of iptables rules scattered across hosts.
Tophan organizes firewall policy into zones. A zone is a logical grouping — “production,” “development,” “dmz,” “management” — with defined rules for traffic between zones and to the outside world. VMs inherit their zone’s baseline policy and can have additional per-VM rules layered on top.
Rules are stateful by default. Established connections are tracked and allowed without re-evaluation, keeping throughput high even with complex rulesets. NAT (source, destination, and masquerade) is built in for translation between internal and external networks. Port forwarding maps external ports to internal services with a single rule.
Rate limiting protects against floods and brute-force attacks at the hypervisor level, before traffic ever reaches the VM. Every denied packet is logged with full context — source, destination, port, protocol, matched rule — and visible in Dragon’s Eye’s security dashboard.
| Feature | Description |
|---|---|
| Zone-Based Policy | Define trust zones with inter-zone rules and defaults |
| Per-VM Rules | Layer VM-specific rules on top of zone baselines |
| Stateful Tracking | Connection tracking with configurable timeout per protocol |
| Source NAT | Masquerade internal VMs behind a shared external IP |
| Destination NAT | Port forwarding from external IPs to internal services |
| Rate Limiting | Per-rule rate limits to block floods and brute-force |
| Logging | Full packet metadata logged per rule, searchable in dashboard |
| Migration Aware | Firewall state follows the VM to the new host |
| IPv4/IPv6 Dual Stack | Full support for both address families in all rule types |
| Scheduled Rules | Time-based rules for maintenance windows or access schedules |