Zero-Trust Firewall

Stratum's firewall is a dual-stack (IPv4 and IPv6) L3/L4 ACL enforced in the eBPF data plane. Rules are ordered: each rule matches on protocol, source/destination address (or CIDR), and source/destination port, and the first match wins. When no rule matches, the configured default action applies. You write policy in terms of network names and endpoint addresses.

The ACL logic lives in a shared acl.h that is folded into the two programs actually attached to the live datapath — xdp_bridge on the workload bridge and xdp_gateway on a Gateway node's forwarding interfaces — so the same verdict is applied wherever traffic enters. A source-IP blocklist is checked alongside the ACL in the same programs.

Stateful rules use the eBPF connection-tracking table: the kernel maintains per-flow state so return traffic for an established flow is permitted without a matching reverse rule, all without round-trips to user space.

The default action

The firewall has a single no-match (default) action that applies when no rule matches a packet. It defaults to allow and is persisted, so a configured default survives a reboot — it is written into the eBPF fw_config map. For a zero-trust posture, set the default to deny so traffic is isolated until you add an explicit allow rule.

Setting the default to deny is strongly recommended. An explicit allowlist is much easier to audit than a denylist. Because the default action is global to the firewall, plan your allow rules before flipping it to deny.

Adding allow rules

The firewall allow command adds a stateful allow rule. The connection-tracking table automatically permits return traffic for established flows, so you only need to allow traffic in one direction.

Allow inbound HTTP and HTTPS to a specific endpoint:

sudo cenvero-str-ctl firewall allow \
  --network app-net \
  --to 10.20.0.50 \
  --port 80,443 \
  --proto tcp

Allow an endpoint to initiate outbound connections (egress to anywhere):

sudo cenvero-str-ctl firewall allow \
  --network app-net \
  --from 10.20.0.50 \
  --egress

Allow traffic between two endpoints on the same network:

sudo cenvero-str-ctl firewall allow \
  --network app-net \
  --from 10.20.0.50 \
  --to 10.20.0.60 \
  --port 5432 \
  --proto tcp

Allow a network-level rule (any host on app-net to any host on db-net):

sudo cenvero-str-ctl firewall allow \
  --from-network app-net \
  --to-network db-net \
  --port 5432 \
  --proto tcp

Listing and removing rules

cenvero-str-ctl firewall list --network app-net

ID    DIRECTION  FROM          TO            PROTO  PORTS     ACTION
1     inbound    any           10.20.0.50    tcp    80,443    allow
2     egress     10.20.0.50    any           any    any       allow
3     inbound    10.20.0.50    10.20.0.60    tcp    5432      allow

Remove a rule by its ID:

sudo cenvero-str-ctl firewall delete 3

Changes apply to new flows immediately. Established flows already in the connection table continue until they close.

Explicit deny rules

Use firewall deny to add a block rule. Give it a higher priority than your allow rules so it is evaluated first — useful for incident response:

sudo cenvero-str-ctl firewall deny \
  --to 10.20.0.50 \
  --src 198.51.100.44 \
  --proto tcp

Allow and deny rules share the same ordered ACL; the first match wins, so a higher-priority deny is evaluated before the allow rules below it.

Connection tracking

The agent exposes the connection table for inspection:

cenvero-str-ctl firewall conntrack --network app-net

PROTO  SRC                   DST              STATE        AGE
tcp    10.20.0.50:54321      10.30.0.10:5432  ESTABLISHED  42s
tcp    203.0.113.5:12345     10.20.0.55:443   ESTABLISHED  3s

Flush all tracked connections for an endpoint (forces re-evaluation against current rules):

sudo cenvero-str-ctl firewall conntrack flush --address 10.20.0.50

Anti-spoof enforcement on the bridge

Independently of the ACL, the xdp_bridge program enforces anti-spoofing on the workload bridge so an endpoint cannot impersonate another:

• MAC binding — the source MAC of every frame must be a MAC the agent bound to that port; an unknown source MAC is dropped (default-deny on MACs).
• IPv4 source guard + Dynamic ARP Inspection — an IPv4 source address bound to a MAC must arrive from its bound MAC, and an ARP sender hardware address must match the frame's source MAC and the IP↔MAC binding.
• IPv6 source guard + ND inspection — the 16-byte IPv6 source is guarded the same way, and Neighbor Discovery messages must carry the frame's real source MAC (anti-ND-spoofing).

These checks run before the ACL, so spoofed frames never reach the rule evaluation.

See also

• Networking Overview — where firewall enforcement sits in the data plane.
• Load Balancer — VIP addresses need their own allow rules for external access.
• BGP Edge Routing — north-south traffic from Gateway nodes also passes through the firewall.
• Quick Start — basic policy example.