Expand description
Inbound firewall-rule management for the overlay + API + Raft ports.
On Windows this module installs three inbound-allow rules in Windows
Defender Firewall via the INetFwPolicy2 COM API:
ZLayer Overlay (UDP)— the Wintun/boringtun listen portZLayer API (TCP)— the daemon HTTP/gRPC portZLayer Raft (TCP)— the scheduler Raft port
Rules are scoped to the Private + Domain profiles only. Public profile is intentionally excluded so laptops on untrusted networks (coffee-shop Wi-Fi, airport, etc.) do not start accepting inbound cluster traffic.
ensure_overlay_rules is idempotent: if a rule with the same name
already exists it is left in place rather than duplicated.
On non-Windows targets both functions are no-ops that return Ok(()).
Linux nodes are expected to manage their own iptables/nftables or
firewalld state out-of-band, and macOS has its own model (pfctl /
Application Firewall) that isn’t in scope for this phase.
Enums§
- Firewall
Error - Errors produced while installing or removing Windows firewall rules.
Constants§
- API_
RULE_ NAME - Display name of the inbound API (HTTP/gRPC TCP) firewall rule.
- MANAGED_
RULE_ NAMES - All three rule names that this module manages, in the order they are installed / removed.
- OVERLAY_
RULE_ NAME - Display name of the inbound overlay (
WireGuardUDP) firewall rule. - RAFT_
RULE_ NAME - Display name of the inbound Raft (TCP) firewall rule.
Functions§
- ensure_
overlay_ rules - Ensure the three inbound allow-rules exist in Windows Defender Firewall for the overlay UDP, API TCP, and Raft TCP ports.
- remove_
overlay_ rules - Remove any ZLayer-managed inbound firewall rules that this module would otherwise install.