Trust is an engineering artifact, not a claim
A firewall management plane is the most security-critical software on your network: it holds the keys to the thing that holds the keys. This page explains — concretely — how OgmaProtect is built to deserve that position, and how we verify it.
The shape of the system
Least privilege, by construction
Compartmentalisation isn't a feature we added — it is the architecture. There is no mode in which one compromised part yields the whole router.
- 16 single-purpose daemons. Firewall, routing, DNS, DHCP, VPN, time, health — each domain is its own process with its own tiny remit. The web tier renders pages and can do nothing else.
- OpenBSD pledge and unveil on every daemon. Each process declares the system calls and the exact filesystem paths it needs; the kernel kills it if it steps outside them.
- Root-only sockets and capability tokens. Domain daemons accept connections only from the authenticated gatekeeper, and inter-daemon requests carry capability tokens minted for the specific target.
- Hardened authentication plane. Opaque session tokens in HttpOnly Secure cookies, login rate-limiting, per-user TOTP MFA with recovery codes — and the auth database lives in a split child process that can only execute immutable, pre-compiled SQL statements.
Fail closed, by default
The system is designed around operator mistakes — the most common security incident on any firewall.
- It refuses to lock you out. Anti-lockout rules are built into every generated ruleset; management-plane guards refuse changes that would sever your own session; dangerous operations demand explicit confirmation.
- It reverts what you don't confirm. Firewall, tunnel, WireGuard and CARP applies run in commit-confirmed windows — if the change broke your access, the router restores the previous state on its own.
- It tells you when reality diverges. Per-domain drift detection compares live state against configured intent continuously.
- It never phones home. No telemetry, no update checks, no cloud dependency — the only outbound connections are the ones you configure.
Audited before it is sold
Before commercial launch, the entire codebase went through a structured pre-commercial audit — 8 independent lenses, from architecture and code quality to state recovery, test health and the web tier.
The audit produced 107 findings, distilled to 23 systemic root causes, ranked and ratified into a remediation programme that is landing now, durability-first: the failure modes that could brick a router or boot it open get fixed before polish does. Backup signing and encryption ship as part of the same programme.
We publish the process and the aggregate numbers, and we describe what has been fixed once it ships. We do not publish details of open findings — transparency about method, discretion about anything an attacker could use first.
Researchers, auditors and sceptics
- Report a vulnerability: hello@ogmaprotect.com — we practise coordinated disclosure and will credit you if you want credit.
- Review the source. OgmaProtect is source-available; we make the source accessible to auditors and licensees on request.
- Question our claims. Every feature statement on this site is tracked in a claims ledger tied to evidence in the repository — if we can't point at the code, we don't say it.