Beta · Q3 2026 · High-Performance Gateway Firewall

High-Performance
Gateway Firewall for
Modern Infrastructure.

Protect internet-facing services against unwanted traffic, DDoS attacks, and network threats using a lightweight, Linux-native firewall platform.

Your website stays online.
Book a Demo See live benchmark
Neurowall · Overview Live
Neurowall admin dashboard overview
272K+
Rules · full line rate
<3s
HA failover
15min
To first rule
What is Neurowall?

A gateway firewall designed to secure
cloud, edge, and hybrid environments.

Neurowall is a gateway firewall designed to secure cloud, edge, and hybrid environments. Unlike traditional firewall appliances, Neurowall runs on standard Linux infrastructure and is built to deliver fast packet processing, centralized policy management, and flexible deployment options.

Built using eBPF and XDP — modern Linux networking technologies that process packets at the kernel level, before they consume system resources.

272K+
Rules at full line rate

Maintained full ISP line rate with 272,139 active rules loaded. No throughput reduction.

<3s
HA failover

Active-passive failover in under 3 seconds. Services keep running if a node fails.

15min
To first rule

Deploy on any Linux server and have your first firewall rule running in under 15 minutes.

0
Proprietary hardware

Runs on servers, VMs, and cloud instances you already operate. No appliances to buy or refresh.

What can it protect?

Wherever your traffic arrives.

Cloud infrastructure
Cloud VMs

Deploy on AWS, Azure, GCP, or any cloud provider's Linux instances. Same policy, same management, any region.

APIs & services
Public APIs

Block malicious traffic, rate-limit abuse, and stop DDoS attacks before they reach your API endpoints.

Container platforms
Kubernetes Ingress

Deploy as a DaemonSet on ingress nodes. Filter at the XDP layer before traffic reaches application pods.

Distributed offices
Branch Offices

Standard Linux hardware at each location. Centralized policy management from one control plane, no per-site consoles.

On-premises
Data Centers

Replace proprietary appliances with a Linux-native gateway firewall. No hardware refresh cycles, no vendor lock-in.

Managed services
Hosting Providers

Per-customer policy isolation via REST API. Deliver firewall-as-a-service on infrastructure you already operate.

Network edge
Internet Gateways

Protect the boundary between the internet and your internal network. Block threats at the edge before they reach anything internal.

Business benefits

What your organization gains.

Reduce Downtime

Stop unwanted traffic before it impacts applications. DDoS attacks are absorbed at the network edge — your services keep running.

Simplify Firewall Management

Manage policies centrally across multiple gateways from one control plane. One REST API, one web UI, consistent policy everywhere.

Lower Infrastructure Costs

Deploy on commodity hardware or cloud instances instead of proprietary appliances. No hardware refresh cycles. No per-appliance licensing.

Grow Without Hardware Lock-In

Scale using standard Linux infrastructure. Add capacity by deploying another Linux instance — no appliance procurement, no vendor engagement.

Core capabilities

Everything in one platform.

Gateway Firewall DDoS Protection Threat Intelligence DNS Sinkhole High Availability REST API RBAC Monitoring WireGuard VPN Port Forwarding NAT / Masquerading L7 Domain Blocking

Detailed capability breakdown below. Technical depth is available — after you understand what Neurowall does for your business.

Deployment options

If Linux runs there,
Neurowall runs there.

No special hardware required. Deploy on infrastructure you already operate.

Linux market share
61%+
Public web servers
90%+
Major cloud platforms
96%
Top 1M websites
45–60%
Enterprise & data centers
100%
TOP500 supercomputers
No proprietary hardware

Neurowall runs on standard Linux servers, VMs, and cloud instances you already operate. No appliances to procure, rack, or refresh.

Every environment, one platform

AWS, Azure, GCP, on-premises, bare metal, Kubernetes ingress nodes, edge locations — the same Neurowall binary, the same REST API, everywhere.

Kernel-speed enforcement

eBPF and XDP process packets at the driver level — before the kernel's full network stack — on the same Linux infrastructure your applications already run on.

EnvironmentDeployment Method
Cloud (AWS, Azure, GCP)Linux VM or instance in VPC / VNet
On-premisesBare metal server or virtual machine
HybridMix of cloud and on-premises — managed from one control plane
Virtual MachinesVMware, KVM, Hyper-V, or any hypervisor running Linux
Bare MetalStandard x86_64 Linux server — no proprietary NIC required
Kubernetes IngressDaemonSet on ingress nodes — scales with the cluster
Compare

How Neurowall stacks up against realistic alternatives.

Traditional Firewall Cloud Firewall Neurowall
Hardware required Yes No No
Linux-native No Partial Yes
API-first Limited Good Yes
High-performance packet processing Good Good Excellent
Flexible deployment Limited Cloud only Cloud + On-prem + Bare-metal
Core capabilities

Enterprise-grade, kernel-native defense.

Built entirely on modern Linux kernel technologies — no appliances, no licensing games.

01 · Traffic enforcement
High-performance packet filtering

5-tuple rules (src IP, dst IP, src port, dst port, protocol) synced atomically to both the eBPF/XDP fast path and nftables stateful path. Full IPv4 and IPv6 support — CIDR ranges, port ranges, allow/deny/drop actions, per-rule counters, and rollback on failure.

02 · DDoS protection
7-module flood defense

Token-bucket rate limiting plus six flood-specific modules: SYN, ACK, ICMP, FIN, RST, and UDP cost filter. FIN and RST are off by default. All thresholds tunable at runtime — changes apply in under 30 seconds with no traffic interruption. Fragment bomb defense included.

03 · Threat intelligence
Multi-source feed ingestion

Pulls indicators from abuse.ch, AlienVault OTX, AbuseIPDB, and compatible sources. IP indicators push directly into the kernel blocklist. URL extraction pipeline parses raw feed URLs into domain blocks. Redis-backed caching survives restarts. Integrity-check API flags null-epoch rows, expired leaks, and allow-field anomalies.

04 · L7 domain blocking
L7 SNI/DNS policy engine

Vaanvil enforces domain blocks at Layer 7 via SNI inspection and DNS interception. Blocks can be global, source-scoped (block a domain only for a specific IP/CIDR), or destination-scoped. Blocked domains sync automatically to a local Unbound sinkhole so DNS resolution is also intercepted.

05 · Admin & RBAC
Three roles, full audit trail

Admin (full access), Operator (rules + policy, own password), Viewer (read-only). Every state-changing operation is written to an immutable audit log with user identity and timestamp. Config hot-reload applies TI settings, feed parameters, and sidecar config live — no restart, no traffic interruption.

06 · HA & resilience
Active-passive etcd clustering

Leader election via etcd with ~2–3 s failover. Rules, threats, and config replicate to all cluster members via etcd watches. If etcd becomes unavailable, each node continues independently with its last-known state. Standalone mode is fully supported — no cluster required.

07 · Observability
70+ Prometheus metrics & Grafana dashboards

Metrics cover request latency, rule/threat counts, eBPF packet totals, DDoS counters, Redis hit rates, HA events, TI URL ingestion, DNS sink sync, Vaanvil webhook events, and more. Pre-built Grafana dashboards and SSE endpoints for real-time stats streaming to ops dashboards.

08 · Network management
Routes, NAT, port forwarding & VPN

Static route lifecycle management for controlled pathing. Masquerading/NAT with POSTROUTING rule management. Port forwarding provisioning via the firewall UI. WireGuard VPN peer management and config for site-to-site or admin access into protected networks.

09 · UDP service profiles
Per-protocol amplification control

Each UDP packet is scored by payload size and service type — DNS, NTP, Memcached, and others. Sources accumulating excessive cost scores are rate-limited before they can amplify against a target. Thresholds are configurable per service profile.

Inside the product

Built to be operated.

Real screenshots from a production Neurowall instance. DDoS Guard with eBPF/XDP rate limiting, system telemetry with sync-failure alerting, and live L7 verdict streaming — all built into the admin surface.

screen · /monitor/system-overview Neurowall System Overview — uptime, health, resources, throughput, and traffic-flow diagram
Swipe left or right

Status, resources, and live throughput

Uptime, health, HA mode, interfaces, CPU/memory/disk gauges, throughput graph, and a traffic-flow diagram on a single screen. When rule sync fails, the count surfaces as a persistent nav-bar badge so operators see drift the moment it happens — no separate alerting plumbing required.

22d+ uptime, healthySystem status, HA mode, and active interface count at a glance.
Throughput · 50s rollingIN/OUT split with peak markers.
Traffic flow diagramInternet → interface → Neurowall → hosts. Live counters.
screen · /monitor/telemetry/l7-events Neurowall L3/L7 Events telemetry — verdict timeline, live event stream, and SNI/host distribution
Swipe left or right

Filter, replay, and watch L3 / L7 events live

Verdict-timeline chart over a chosen window, a live event stream with src/dst, protocol, SNI, and JSON extras, plus verdict distribution and top SNI breakdown. Switch between L3 and L7 views; filter by IP, port, SNI, verdict, or date.

L3 + L7 viewsPacket-level and TLS-aware telemetry side by side.
Live streamNewest events at the top. SNI/host visible.
JSON drill-downEvery event is queryable structured data.
screen · /monitor/statistics Neurowall Interface Statistics — live packet and byte counters with drop reasons breakdown for eno1 XDP interface
Swipe left or right

Live packet counters, every interface

Per-interface XDP statistics with auto-refresh (5s/10s/30s). Total packets, allowed vs. dropped split, byte counters, and a full drop-reasons breakdown (Rate Limit, SYN Flood, Cost Filter, UDP/ACK/ICMP) so you can see exactly why traffic isn't reaching the host.

85.5K packets · 100% allowLive counters with 28-point activity history.
Drop reasonsRate-limit, SYN-flood, cost-filter — split by share.
Fragment policyPolicy / global / per-src / RFC violations, separately.
screen · /firewall/allow-block-ip · create Neurowall rule builder — visual flow from Source to Neurowall action to Destination, with advanced options
Swipe left or right

Rule creation, without the syntax

A visual Source → Neurowall → Destination flow with plain-English labels: "Who is sending the traffic" and "Your server receiving the traffic." Action, interface, protocol, chain, priority, and enforcement mode (eBPF-only / nftables-only) all in one screen. No CLI, no Caddyfile-style stanzas.

Visual flowReads top-to-bottom. Hint text for every field.
Enforcement modePick eBPF-only or nftables-only per rule.
Chain & priorityINPUT / FORWARD / OUTPUT with explicit ordering.
screen · /security/ddos-guard Neurowall DDoS Guard — eBPF/XDP rate limiting & flood defense with 6/7 protection modules active
Swipe left or right

eBPF/XDP rate limiting & flood defense

Seven protection modules cover the full TCP/UDP/ICMP flood spectrum, with a 2,000,000 PPS rate limit and per-module enable/disable. Each module ships with operator-facing context — what it stops, when to turn it off.

SYN / ACK / FIN / RSTFull TCP flood coverage with per-flag tuning.
ICMP & UDP cost filterVolumetric attacks and amplification, scored at packet level.
Restore defaultsOne click to fall back to a known-safe baseline.
screen · /system/users Neurowall User Management — accounts, roles, and access control with Admin, Operator, and Viewer roles
Swipe left or right

Accounts, roles & access

Three built-in roles — Admin (full access), Operator (rule + policy changes), and Viewer (read-only). Lock, edit, or delete any account; create new users with a visible toast confirmation. Every change is attributed in the audit log.

Three default rolesAdmin · Operator · Viewer. Extendable.
Lock without deleteSuspend access without losing audit history.
Status surfaceTotal / enabled / locked / admins at a glance.
Also included in the admin surface
// not shown above
WireGuard VPN

Peer management and config screens for site-to-site or admin VPN access into protected networks.

DNS Sinkhole

Blocked TI domains sync to a local Unbound instance in real time — DNS resolution is intercepted alongside L7 packet drops.

Port Forwarding

Port forwarding rules provisioned directly from the firewall UI. Managed alongside allow/block rules in the same policy surface.

Masquerading / NAT

POSTROUTING masquerade rules with automatic discovery and mapping of NAT entries. Managed from the network surface.

Config hot-reload

Apply TI settings, feed parameters, URL ingestion policy, and sidecar config live — no restart, no traffic interruption.

Vaanvil

Webhook ingestion, managed L7 policy writes, and sync status for the SNI/DNS domain enforcement engine.

Sync-failed alerts

Rule reconciliation failures surface as persistent nav badges until acknowledged or resolved.

Backup & Restore

Snapshot rules, threats, and config to local storage or S3. Gzip-compressed, differential, checksum-validated before restore.

Proof · live benchmark

Real load. Zero speed loss.

Captured from a production Neurowall instance — eBPF/XDP enforcement active across 272K rules, three consecutive 2.88 GB downloads from an external mirror clocked back-to-back. Constant line-rate throughput, no degradation between runs.

272,139
Active rules synced
0
Sync failures
~111MB/s
Sustained throughput
Consecutive runs, identical
// neurowall admin · firewall · allow / block ip
Neurowall firewall rules table showing 272,139 active rules with 0 sync failures
272,139 rules synced — 0 failures eBPF/XDP + nftables policy synced across the full ruleset. The admin UI shows eBPF-only entries (fast-path), and all rules report SYNCED status.
// debian@ns3150926 · wget · linuxmint-22.3-cinnamon.iso 2.88 GB × 3
Terminal output showing three consecutive 2.88GB downloads at sustained 108-112 MB/s through Neurowall
108 → 112 MB/s, run after run Three back-to-back wget downloads of a 2.88 GB ISO through an instance with the full ruleset loaded. Consistent 26–27 s completion time and identical line-rate.

// data plane: eBPF/XDP + nftables // no kernel bypass, no userspace proxy

Performance characteristics

What we have confirmed.

One verified benchmark so far. Throughput and latency figures will be published as formal benchmarks complete — hardware, NIC, driver, and XDP mode all affect results.

Throughput · confirmed
Rules loaded
272K+
272,139 active rules, 0 sync failures
Sustained throughput
~111 MB/s
Full ISP line rate, 3 consecutive runs identical
Throughput loss
0
Adding rules did not reduce throughput
Pending benchmarks
Throughput (Gbps)
TBD
Varies by NIC, driver, CPU, IRQ tuning, and XDP mode
Latency (fast path)
TBD
eBPF/XDP path; formal measurement in progress
Latency (with DDoS)
TBD
All flood modules active; varies by packet mix
Memory
Kernel
52–124 MB
Locked. Depends on map size configuration
Process RSS
50–200 MB
Varies with ruleset and TI feed size
Monitoring & observability

Deep visibility, shipped.

Full operational monitoring is built and running. System health, per-interface XDP counters, and live L3/L7 event telemetry are all available in the admin surface today.

System overview
Uptime, health & resources

Single screen: uptime, health status, HA mode, active interface count, CPU/memory/disk gauges, a 50-second rolling throughput graph, and a live traffic-flow diagram showing IN/OUT split between internet and hosts.

Interface statistics
Per-interface XDP counters

Total packets, allowed vs. dropped split, byte totals, and a full drop-reason breakdown — Rate Limit, SYN Flood, Cost Filter, UDP, ACK, ICMP — so you can see exactly why traffic isn't reaching the host. Auto-refresh at 5s, 10s, or 30s.

L3 / L7 telemetry
Verdict timeline & live event stream

Verdict-timeline chart over any time window, a live event stream with src/dst IP, port, protocol, SNI, and JSON extras, plus verdict distribution and top SNI/host breakdown. Filter by IP, port, SNI, verdict, or date range. Switch between L3 and L7 views.

Who benefits

Built for the teams running production.

From security to SRE to managed providers — Neurowall slots into existing workflows.

Security teams
Block threats. Prove it.

Stop attack traffic at the edge and produce an immutable audit trail that shows exactly what was blocked, when, and why. Respond faster because the controls are simple.

Platform & SRE
Manage it like everything else

REST API, CLI, and Prometheus metrics mean Neurowall fits into existing Terraform, Ansible, and Grafana workflows. No specialist firewall knowledge required.

Hosting & managed providers
Protect customers. Add revenue.

Offer firewall-as-a-service and DDoS protection as paid add-ons. Per-customer isolation via API means you can scale to any number of tenants without manual configuration.

See solutions & economics