Security & assurance

Trust is an engineering artifact, not a claim

A firewall management plane is the most security-critical software on your network: it holds the keys to the thing that holds the keys. This page explains — concretely — how OgmaProtect is built to deserve that position, and how we verify it.

The shape of the system

OgmaProtect privilege-separation architecture A vertical flow: your browser connects over HTTPS to a chrooted, unprivileged web tier, which talks through a root-only socket to authd (sessions, role checks, MFA), which forwards to 16 sandboxed domain daemons, which are the only processes that touch OpenBSD configuration. Your browser HTTPS only — TLS with HSTS; no plugins, no agents Web tier — renders pages, nothing more httpd + slowcgi, chrooted, unprivileged (_www) has no access to configuration or secrets root-only unix socket authd — the gatekeeper opaque sessions · role-based access control · TOTP MFA every privileged action is authenticated and audited per-domain sockets · capability tokens 16 domain daemons — one responsibility each netd · rtd · pfd · dnsd · dhcpd · routed · 10 more each sandboxed with pledge + unveil to the minimum it needs validate → apply → atomic write → revision OpenBSD native configuration and kernel — PF, CARP, Unbound, WireGuard canonical config + revision history under /var/db/ogmaprotect
The web tier can be fully compromised without yielding configuration access: it holds no credentials, no secrets and no direct path to the daemons that do the work.

Least privilege, by construction

Compartmentalisation isn't a feature we added — it is the architecture. There is no mode in which one compromised part yields the whole router.

  • 16 single-purpose daemons. Firewall, routing, DNS, DHCP, VPN, time, health — each domain is its own process with its own tiny remit. The web tier renders pages and can do nothing else.
  • OpenBSD pledge and unveil on every daemon. Each process declares the system calls and the exact filesystem paths it needs; the kernel kills it if it steps outside them.
  • Root-only sockets and capability tokens. Domain daemons accept connections only from the authenticated gatekeeper, and inter-daemon requests carry capability tokens minted for the specific target.
  • Hardened authentication plane. Opaque session tokens in HttpOnly Secure cookies, login rate-limiting, per-user TOTP MFA with recovery codes — and the auth database lives in a split child process that can only execute immutable, pre-compiled SQL statements.

Fail closed, by default

The system is designed around operator mistakes — the most common security incident on any firewall.

  • It refuses to lock you out. Anti-lockout rules are built into every generated ruleset; management-plane guards refuse changes that would sever your own session; dangerous operations demand explicit confirmation.
  • It reverts what you don't confirm. Firewall, tunnel, WireGuard and CARP applies run in commit-confirmed windows — if the change broke your access, the router restores the previous state on its own.
  • It tells you when reality diverges. Per-domain drift detection compares live state against configured intent continuously.
  • It never phones home. No telemetry, no update checks, no cloud dependency — the only outbound connections are the ones you configure.

Audited before it is sold

Before commercial launch, the entire codebase went through a structured pre-commercial audit — 8 independent lenses, from architecture and code quality to state recovery, test health and the web tier.

The audit produced 107 findings, distilled to 23 systemic root causes, ranked and ratified into a remediation programme that is landing now, durability-first: the failure modes that could brick a router or boot it open get fixed before polish does. Backup signing and encryption ship as part of the same programme.

We publish the process and the aggregate numbers, and we describe what has been fixed once it ships. We do not publish details of open findings — transparency about method, discretion about anything an attacker could use first.

8independent audit lenses
107 → 23findings distilled to root causes
v0.5.0early access, pre-1.0 honesty
0phone-home connections

Researchers, auditors and sceptics

  • Report a vulnerability: hello@ogmaprotect.com — we practise coordinated disclosure and will credit you if you want credit.
  • Review the source. OgmaProtect is source-available; we make the source accessible to auditors and licensees on request.
  • Question our claims. Every feature statement on this site is tracked in a claims ledger tied to evidence in the repository — if we can't point at the code, we don't say it.