A firewall is only as useful as the traffic it actually sees. That is the problem with the way most firewalls are built: they live on one server, or inside one cloud provider's console, and they protect exactly that one box. If your infrastructure with us is a VPS, a DDoS-protected tunnel, a BGP announcement, and a dedicated server, that is four separate places to write firewall rules — or, more honestly, four places you never quite get around to.
Today we are launching something different. The Sucura Edge Firewall is a new self-service add-on in the Nexus panel. You buy a package of rules, write them once, and they apply to every IP you have with us — enforced at our network edge, on every PoP, before unwanted traffic ever reaches your origin.
Why One Firewall Per Box Doesn't Scale
The traditional model puts the filter at the destination. An iptables ruleset on a Linux box, a security group in a cloud console, a hardware appliance in front of a rack — each one guards a single target, and each one only starts working after the packet has already crossed the internet, ridden your uplink, and arrived at the machine it was aimed at. For a volumetric flood, that is already too late: the traffic has cost you bandwidth and CPU just to be dropped.
It also does not scale operationally. Every new service is a new firewall to configure, in a new syntax, with its own copy of "block this abusive /24" that you now have to remember to update in five places. The rules drift apart. The one box you forgot is the one that gets hit.
We already solve the "arrives too late" half of this for DDoS: our scrubbing runs at the edge, across the anycast network, so floods are dropped close to their source instead of on your server. The Edge Firewall extends that same idea to your own policy. Your rules move to the edge, right next to the scrubbing, and they follow your IP space everywhere it lives on our network.
How It Works
The Edge Firewall runs in the same XDP/eBPF pipeline that already powers our DDoS scrubbing. That means your rules are evaluated in the kernel's fast path on every PoP, at line rate, on the same hardware that is already inspecting every packet headed for your IPs. There is no extra hop, no separate appliance, and no backhaul — the filter is already in the path.
The panel is the source of truth. You write your ruleset once, hit apply, and Nexus pushes it to every edge location and confirms that they all hold the identical set. You do not log into individual PoPs or reason about which site a given IP is currently anycasted from. You see one thing: applied. When every edge has converged on your exact ruleset, the panel says so.
Because it is fleet-wide by design, adding a new service does not mean writing a new firewall. Order another VM, announce another prefix, spin up another tunnel — your existing ruleset is already covering it the moment the IPs are yours.
What You Can Match
Each rule is a classic 5-tuple match, with the extras that real network filtering needs. You get precise control without a proprietary policy language to learn:
- Source — a CIDR, or
any - Protocol — the full IANA list: TCP, UDP, ICMP, GRE, SCTP, or a raw protocol number
- Destination and source ports — single ports or ranges
- ICMP type and code — for tightly scoping what ICMP you accept
- TCP flags — SYN, ACK, FIN, RST, PSH, URG
Every rule resolves to one of three actions: drop, allow, or continue. Drop discards the matched traffic at the edge. Continue lets it fall through to the rest of your policy and normal processing. Allow is the interesting one — and it deserves a clear explanation.
The Allow Action Bypasses Scrubbing — On Purpose
An allow rule does exactly what it sounds like, with one honest nuance worth stating plainly: allowed traffic bypasses DDoS scrubbing for that match. It is an explicit self-whitelist. When you write an allow rule, you are telling the edge "I trust this source, let it skip mitigation and go straight through."
This is a feature, not a footgun. It is exactly what you want when you have a source you know is trusted — a monitoring system, a backend you control, a partner's fixed IP range — and you would rather it never be subject to challenge or rate-limiting under attack conditions. You opt specific, known traffic out of scrubbing on purpose. Everything you do not explicitly allow keeps flowing through normal DDoS mitigation exactly as before. Nothing about turning on the Edge Firewall weakens your protection by default; the only traffic that skips scrubbing is the traffic you deliberately allow.
Guardrails That Are Actually About Trust
Because this runs at the network edge across everyone's traffic, we built the guardrails to make it hard to hurt yourself:
- Your IP space only. A rule can only target IPs that belong to you. You cannot write policy against someone else's addresses.
- No private or reserved targets. Private, reserved, and internal tunnel addresses are rejected — the panel will not let you point a rule at them.
- Anti-lockout. You cannot accidentally block our own network as a source. The control and management paths that keep your services reachable stay reachable, no matter what you write.
These are not fine print. They are the difference between a fleet-wide firewall you can use confidently and one you are afraid to touch.
Pricing
The Edge Firewall is priced by how many rules you need. Pick a package, and a live budget bar in the panel shows how many of your rules you have used as you build. All prices are in USD, self-service, no tickets.
| Package | Rules | Price |
|---|---|---|
| Starter | 10 rules | $10/mo |
| Pro | 50 rules | $35/mo |
| Business | 200 rules | $99/mo |
There is a free-trial window, so you can build a ruleset, apply it across the edge, and watch it work before you pay for a package. Try it free first.
One ruleset, every IP, every edge. Write your policy once in the Nexus panel and it enforces fleet-wide, in the same pipeline as your SucuraGuard scrubbing. See the full Edge Firewall product page for the complete rule reference.
Turn It On in the Nexus Panel
- Sign in or create an account in the Nexus panel
- Open Firewall and start a free trial, or pick a package
- Build rules in the rule builder — source, protocol, ports, flags, action — watching the live budget bar
- Hit apply and watch the status turn to applied as every edge converges on your ruleset
That is the whole point of running your firewall at our edge: one place to write policy, every IP you have with us covered, and the same fast path that already stops attacks now enforcing your rules too. Get started at nexus.sucura.ca, read the details on the Edge Firewall page, or pair it with free SucuraGuard DDoS protection. Questions? Reach us on Discord or the contact page.
— Eric B
President, Sucura Networks
AS398999