A small, fast host firewall for Linux. eBPF in the kernel, ufw-style commands.
## What it is
A host firewall that filters packets with eBPF (XDP on ingress, TC on egress) before they reach the kernel network stack.
## Install
git clone git@github.com:tatupesonen/moatd.git
cd moatd
cargo build --release
sudo make install
sudo systemctl daemon-reload
sudo moatd enable
## Usage
# Allow SSH from anywhere
sudo moatd allow 22/tcp
# Allow HTTP and HTTPS
sudo moatd allow 80/tcp
sudo moatd allow 443/tcp
# Allow SSH only on the tailscale interface
sudo moatd allow in on tailscale0 to any port 22
# Block inbound HTTP
sudo moatd deny in port 80 proto tcp
# Default deny incoming (outbound replies still pass)
sudo moatd default deny incoming
# List, delete, reset
sudo moatd list
sudo moatd delete 2
sudo moatd reset
# Show status, toggle logging
sudo moatd status
sudo moatd logging on
Full rule grammar:
moatd
[in|out]
[on ]
[from ] [port ]
[to ] [port ]
[proto tcp|udp|icmp]
## Documentation
The full guide lives under [`book/`](book/):
cargo install mdbook
mdbook serve book
## License
GPL-3.0-or-later. See [LICENSE](LICENSE).