Unified Threat Management

Network security
that you actually
own.

Tangent Networks UTM is a self-hosted security appliance built on OpenBSD. Enterprise-grade firewall, encrypted DNS, deep content inspection, and full-stack threat blocking — deployed on your hardware, under your control, with no vendor in the middle.

Request a Demo See Screenshots

6 Inspection Services

0 Cloud Dependencies

1 Person to Operate It

// protection stack

🌐

Internet Traffic Inbound & outbound flows

WAN

↓

🛡

PF Firewall ASN · GeoIP · Threat feeds · Custom rules

BLOCK

↓

🔍

e2guardian ChildSafe · General · Custom filter modes

FILTER

↓

🔒

Unbound DNS DNS-over-TLS · Quad9 threat blocking

TLS

↓

🏢

Your Network Users · Devices · Services

LAN

Runs on OpenBSD: correct-by-default security posture PF Firewall with ASN-aware and GeoIP blocking built in e2guardian ChildSafe: malware, ads, and adult content blocked at the content layer Unbound DNS-over-TLS: encrypted resolution, zero plaintext UDP queries Zero cloud dependency: your traffic, your data, your network Snort IDS and IPS running simultaneously on the same appliance Web server chrooted: a compromised request cannot reach the OS CSRF and session security enforced before any business logic runs Full dual-stack: IPv4 and IPv6 inspected with feature parity Runs on commodity hardware: no proprietary appliance required Runs on OpenBSD: correct-by-default security posture PF Firewall with ASN-aware and GeoIP blocking built in e2guardian ChildSafe: malware, ads, and adult content blocked at the content layer Unbound DNS-over-TLS: encrypted resolution, zero plaintext UDP queries Zero cloud dependency: your traffic, your data, your network Snort IDS and IPS running simultaneously on the same appliance Web server chrooted: a compromised request cannot reach the OS CSRF and session security enforced before any business logic runs Full dual-stack: IPv4 and IPv6 inspected with feature parity Runs on commodity hardware: no proprietary appliance required

Security posture

Built secure, not patched secure.

OpenBSD Foundation

The entire platform runs on OpenBSD, an operating system with a decades-long track record of proactive security auditing and a minimal default attack surface. Security is the starting point, not something added later.

chroot Isolation

The web server and every CGI script run inside a chroot jail. A compromised web request cannot read configuration files, access system binaries, or reach system processes. The kernel enforces the filesystem boundary, not policy alone.

No doas, No sudo

Privileged operations such as firewall changes, DNS cache flushes, and filter mode switches never happen by elevating the web process. Dedicated root-side daemons watch file-based queues and execute commands independently. The CGI layer has no privilege path whatsoever.

CSRF and Session Auth

Every operation that changes system state requires a valid session cookie and a per-request CSRF token. The security framework is enforced at the library level before any business logic runs, so individual scripts cannot bypass it regardless of how they are called.

Taint Mode Perl

All CGI scripts run under Perl's taint mode ( -T). Every value arriving from the browser must pass an explicit untaint regex before it can touch the filesystem, a shell command, or any system call. Tainted data has no path to execution.

Self-Contained Platform

No cloud APIs, no vendor dashboards, no telemetry endpoints. Threat intelligence feeds are fetched from public sources on your schedule. Configuration, logs, and user data never leave your infrastructure, keeping GDPR and local data retention obligations straightforward.

Protection layers

Four independent
shields.

Tangent Networks UTM stacks four distinct security technologies, each operating independently. A domain blocked at the DNS layer never reaches the firewall. A connection blocked by the firewall never reaches the content filter. Defence in depth is the whole point.

🛡

PF Firewall

OpenBSD's packet filter manages every byte crossing your network boundary.

Network Layer

The firewall is your outermost layer, processing traffic before anything else in the stack sees it. Rules are built from live threat intelligence feeds, geographic IP data, and ASN lookups, letting you block entire hosting networks in a single entry without touching the base ruleset.

ASN-aware blocking. Block every IP range belonging to a provider, CDN, or cloud service with one entry. Each submission is validated against PeeringDB and RIPE STAT before it goes live, with a full impact analysis showing exactly what traffic will be affected.
GeoIP filtering. Restrict traffic by country using regularly updated CIDR databases sourced directly from RIPE NCC. No third-party subscription required.
Live threat intelligence feeds. Blocklists download on your schedule and merge into the active ruleset atomically, with no gap in enforcement and no service interruption.
Custom rule builder. Write syntax-validated PF rules through a guided interface. Every change passes through a staging pipeline: validate, preview, apply. Each successful apply produces a recoverable snapshot.
Queue-based apply. Firewall changes are written to a file queue and processed by a root-side daemon. The web interface never calls pfctl directly, and the CGI process has no privilege path to the kernel.

🔍

e2guardian Content Filter

Deep content inspection with three purpose-built filter modes.

Content Layer

Where the firewall blocks by address, e2guardian inspects by content. Three modes cover most deployment scenarios, and switching between them is a single click with no dropped connections and no service restart.

ChildSafe mode. The recommended starting point for schools, libraries, and family networks. Malware domains, advertising networks, and adult content are all blocked simultaneously using a curated set of maintained threat feeds.
General mode. Adult content filtering is disabled, but malware and advertising blocking remain active. A practical fit for staff networks or shared infrastructure where you need protection without restrictive content controls.
Custom mode. Bring your own feeds. Add any public threat intelligence URL and the system validates, downloads, and processes it automatically within seconds of submission.
Automated feed processing. Each mode refreshes its feed list daily. The processor handles hostfile format, plain domain lists, mixed lists, and the Capitole University archive format without any manual intervention.
Live mode switching. Switching modes rewrites the active crontab entry and reloads e2guardian in the background. No connections drop and no manual restart is required.

🔒

Unbound DNS-over-TLS

Encrypted recursive DNS resolution with upstream threat blocking built in.

DNS Layer

All DNS queries from your network are resolved by a local Unbound instance. Queries leave the network encrypted over TLS; no plaintext UDP port 53 traffic ever reaches your ISP. The upstream resolver adds an independent second layer of threat blocking before any HTTP connection is even attempted.

DNS-over-TLS. All upstream queries go to Quad9 ( 9.9.9.11@853) over an encrypted TLS connection. Your ISP cannot observe or tamper with your DNS traffic.
Quad9 threat blocking. Quad9's dns11 endpoint includes DNSSEC validation, ECS support, and a continuously updated threat feed that blocks malicious domains at the resolution stage.
QNAME minimisation. Each resolver in the chain only receives the portion of a query it needs to answer (RFC 7816), limiting how much metadata any single operator can collect about your users' browsing activity.
Cache management from the UI. Purge the full cache, flush a specific domain, export cache contents, or run a live DNS lookup test from the management interface, all processed through the privileged queue with no direct shell access.
Tuned for sustained load. 384 MB combined cache (256 MB RRset plus 128 MB message cache), prefetch enabled, four processing threads, and a 30-minute minimum TTL to reduce upstream query volume under peak usage.

⚙️

Management Interface Security

The admin plane is hardened to the same standard as the network plane.

Admin Layer

A management interface that cannot be secured is not a management interface, it is an attack surface. Every design decision in the Tangent Networks admin panel assumes the interface may be exposed to an adversarial network.

Three-tier auth enforcement. Every operation is classified as standard, protected, or restricted at the security library level. Protected operations require both a valid session and a per-request CSRF token. Restricted operations require an elevated admin role. No individual script can bypass this classification.
No native browser dialogs. Every destructive or mutating action goes through a custom modal confirmation system. Native confirm() and alert() are never used, which structurally eliminates dialog-spoofing clickjacking attacks.
Complete audit trail. Every authenticated operation is logged with session identity and a timestamp. Firewall changes, filter mode switches, and DNS cache operations all produce a permanent, reviewable record.
Taint mode throughout. All CGI scripts run under Perl -T. Every value arriving from the browser must pass an explicit untaint regex before it can touch the filesystem, a shell command, or any privileged system call.

Platform Architecture

Correct architecture
is the security feature.

The web server serves exclusively as an unprivileged request processor. It operates without access to escalation utilities like sudo or doas, and without the permissions required to modify the firewall, reconfigure DNS, or toggle filter modes.

System state changes are decoupled from the web execution context entirely. The web process communicates intent by writing to a secure queue directory. Execution is handled by independent root-side processes that act on those queue entries. This enforces a strict one-way data flow: the web layer can express what it wants done, but it can never do it directly.

// Tangent Networks UTM design principle

File-Based Queue Architecture

Privileged operations are never triggered by elevating the web process. A CGI script writes a validated, structured request file to a watched directory. A dedicated root-side daemon reads it, executes the appropriate command, and writes the outcome back for the browser to collect.

CGI writes a validated request file with structured parameters
Root daemon executes unbound-control or pfctl as appropriate
Outcome encoded as JSON via jq and written back to queue
Request and outcome files removed after each completed operation

chroot Boundary Enforcement

The web server runs inside the /var/www chroot. System binaries, configuration files, and the host OS filesystem are invisible to any web process regardless of what an attacker might execute inside the chroot.

CGI scripts see only the /var/www filesystem tree
Debug logs write to /tmp, which maps to /var/www/tmp outside the chroot
Paths constructed with File::Spec, never through string concatenation
All external path values validated against untaint regex before use

Daemon Lifecycle Management

All background services start from /etc/rc.local via a shared start_service() function that validates executability, detects stale PID files, and verifies the process is still alive before writing the PID to disk.

PID files stored under /data/run/webui/, readable by monitoring tools
Runners loop on fixed sleep intervals rather than spawning via cron
EXIT, INT, and TERM traps clean up PID files on shutdown
Stale PID detection prevents duplicate daemon instances across reboots

Staging Pipeline for Firewall Changes

No firewall rule goes live without passing a full validation pipeline. Rules assemble into a staging configuration, are tested with pfctl -nf (dry run), and a verdict file is written before any apply is attempted. A failed validation stops the pipeline completely.

pf_validator.pl assembles staging/pf-addons.conf from all queue inputs
pfctl -nf validates syntax; verdict written before any live change
Apply copies staging conf to /etc/pf, reloads anchor, writes snapshot
Reset flushes the anchor, clears all user inputs, and purges all snapshots

True Dual-Stack

IPv4 and IPv6.
Inspected equally.

Most network security systems treat IPv6 as an afterthought and leave a gap between what is filtered on one protocol and what is allowed on the other. Tangent Networks UTM provides identical inspection coverage across both address families, with no fallback paths and no unmonitored protocol.

NAT64 and DNS64

IPv6-only LAN clients can reach IPv4-only internet destinations transparently. PF performs address-family translation while Unbound synthesises AAAA records under the NAT64 prefix. The result is full internet access for IPv6 clients with no manual address mapping required.

Snort IPS on Both Families

Snort runs inline in IPS mode and inspects traffic from both IPv4 and IPv6 clients. The SSLproxy preprocessor was extended to correctly parse and map IPv6 client and server addresses, providing full rule enforcement across both protocol families without a parallel ruleset.

TLS Inspection for IPv6 Clients

SSLproxy intercepts and decrypts TLS sessions from both IPv4 and IPv6 LAN clients, re-originating the decrypted traffic on loopback for inspection by Snort and e2guardian. IPv6 clients receive exactly the same inspection depth as IPv4 clients throughout the chain.

Unified PF Ruleset

PF enforces policy across both address families from a single ruleset. NAT44, NAT66, and NAT64 all operate simultaneously. All traffic is logged to the same pflog1 interface regardless of protocol family, giving the WebUI a unified view of what is happening on the network.

Privilege Separation

The web process
has no privilege path.

The most important security property of Tangent Networks UTM is that the web server and everything running inside it cannot perform privileged actions directly. Not through sudo. Not through doas. Not through setuid binaries. The boundary is absolute and enforced at the kernel level.

// www process (chrooted)

📝

CGI Scripts Validate input, write queue files, poll outcomes

🔐

TNSecurityCheck Session, CSRF, and role enforced before any logic runs

📂

Queue Writes Writes to /data/services/queue/* only

👁

Outcome Reads Polls outcome files, returns result to browser

// Cannot execute: pfctl, unbound-control,
// e2guardian, ksh, or any system binary.
// Cannot read: /etc, /usr, /bin, /sbin.
// Filesystem view limited to /var/www/*

chroot boundary

// root daemons (full system access)

🔥

pf_monitor.sh Validates and applies PF firewall rules via pfctl

🔄

manage_unbound.sh Executes unbound-control cache and service commands

🔍

e2g_*_filter.sh Downloads feeds, processes domain lists, reloads e2guardian

📊

Stats collectors Read system state, write JSON to web-readable paths

// Triggered by: file presence in queue dirs.
// Never triggered by: HTTP requests directly.
// Communication: file-based queue only.
// No socket or IPC exposure to www process.

Execution Model

No hidden paths. No side channels.

The separation between the web tier and the privileged tier is not a policy decision or a convention. It is enforced in how the system moves data and how it executes actions. There is one path for expressing intent and one path for acting on it, with no mechanism to bypass either.

No Internal API Surface

The web interface does not call itself over HTTP. There are no REST endpoints, no loopback requests, and no internal RPC layer. State is read from files written by root daemons. Actions are expressed as queue entries. There is nothing to pivot through.

Deterministic Execution Model

Every privileged action follows the same path: queue entry, validate, execute, write outcome. There is no alternate code path, no conditional privilege escalation, and no hidden control channel. What runs is exactly what was queued and verified.

Auditable State Transitions

Requests, outcomes, and system state are all materialised as files. The integrity monitoring system computes SHA256 baselines across 19,000 monitored files, detects drift, and requires explicit operator acknowledgement for any change. Nothing mutates silently.

No Shared Memory or Sockets

The web tier and root daemons share no memory segments, sockets, or IPC channels. There is no message bus to exploit. The only bridge between them is the filesystem, constrained by directory path and file ownership.

Why self-hosted

Your network.
Your data. Your rules.

Cloud-managed network security means your traffic is observed, reported, or processed by someone else's infrastructure. Tangent Networks UTM runs entirely on your hardware, on your network, under your control, with no external dependency for any core security function.

Capability

Tangent Networks UTM

Cloud-managed UTM

User DNS queries stay on-site

✓ All queries resolved locally

✗ Forwarded to vendor cloud

No vendor subscription required

✓ Self-contained platform

✗ Annual licensing required

Firewall rules visible and auditable

✓ Full ruleset always readable

~ Vendor-managed, often opaque

Content filter works without internet

✓ Blocklists cached locally

✗ Requires vendor API access

Custom ASN and GeoIP blocking

✓ Built-in with impact analysis

~ Premium tier or unavailable

GDPR and data residency compliance

✓ Data never leaves your premises

✗ Vendor data processing agreements required

Works during an ISP outage

✓ Local DNS cache continues serving

✗ Cloud-dependent features fail

Management interface on-premises

✓ Served from your local appliance

✗ Vendor SaaS portal

See it in action

What the interface
actually looks like.

No marketing mockups. These are real screenshots from a live Tangent Networks UTM management interface. Click any image to view full size.

Dashboard Overview

The main dashboard brings system performance, PF firewall status, active service health, and rule efficiency audit into a single view. Everything a network operator needs at a glance after logging in.

01 / 34

Rule Efficiency Audit

Per-rule packet counts and evaluation ratios help identify rules that are doing useful work versus rules that have never matched traffic. Each rule is rated EFFICIENT, OPTIMIZE, REVIEW, or UNUSED so you can clean up your ruleset with confidence.

02 / 34

Throughput Analysis

The top 10 rules by traffic volume are ranked with relative load bars, making it easy to see which rules are carrying the most traffic and where policy changes would have the highest impact.

03 / 34

Security Infrastructure Services

Live status for every security service in the stack: Snort IDS, Snort IPS, ClamAV, Unbound DNS, DHCPv4, and e2guardian, all confirmed RUNNING. A quick check before leaving the office.

04 / 34

System Logs

25 log sources accessible from a single panel with a 7-day archive, regex search, auto-refresh, and 100 entries per page. Switching between log sources requires one click, not a shell session.

05 / 34

System Logs Filter

Filter any log by date range, keyword, or program name. Useful for correlating a Snort alert with the corresponding entry in the firewall, proxy, or daemon log without leaving the browser.

06 / 34

Firewall Logs — Live Feed

Real-time PF packet log with IPv4 and IPv6 entries displayed together, MATCH tagging to identify which rule fired, and auto-refresh. Every packet logged by pflog1 appears here within seconds.

07 / 34

Firewall Logs — Event Copy Modal

Any log event can be copied to clipboard in a structured format directly from the interface. Useful for sharing a specific block event with a colleague or pasting it into a ticket without reformatting.

08 / 34

Firewall Logs — Advanced Filter

Filter the live firewall log by date, IP family (IPv4 or IPv6), protocol, port, and action (pass or block). Narrow 10,000 log entries down to the specific traffic you are investigating in seconds.

09 / 34

Services Dashboard

All 24 system services displayed with live CPU usage, memory consumption, PID, and per-service RESTART and STOP controls. A single page replaces the need to SSH in for routine service management.

10 / 34

Services Dashboard Extended View

Scrolling further down the services panel reveals the remaining infrastructure services with the same live metrics. Every service that rc.local starts is represented here with its current state.

11 / 34

Service Restart Validation Modal

Every service restart requires confirmation through a custom modal. There are no native browser dialogs: the confirmation UI is purpose-built, which eliminates dialog-spoofing attacks and provides a consistent operator experience.

12 / 34

Service Restart Progress Modal

A progress modal tracks the restart sequence in real time, showing when the service stops, when it comes back up, and whether its PID file confirms a successful start. No guessing and no polling the shell manually.

13 / 34

Service Status Outcome Modal

After a restart completes, the outcome modal confirms the new service state, the new PID, and whether the operation succeeded or encountered an error. The result is logged with a timestamp for the audit trail.

14 / 34

System Mailbox

An in-browser mailbox collects cron daemon notifications, TNWatch integrity alerts, GeoIP update reports, and digest emails. Operators can review system notifications without configuring an external mail client.

15 / 34

Cron Notification Mail Modal

A cron daemon notification opened inside the mailbox modal. The full message body is displayed inline, including timestamps and any output from the scheduled task that produced the notification.

16 / 34

TNWatch Integrity Alert Modal

A TNWatch file integrity alert shown inside the mailbox modal. When monitored files change outside of an authorised update window, an alert is generated with the affected paths and hash comparison details.

17 / 34

Egress Monitoring View

Live WAN egress flow feed showing source and destination addresses, protocol, and byte count per flow. Powered by pmacct writing to a memory filesystem, the view updates continuously without disk I/O overhead.

18 / 34

Egress JSON Flow Detail

The raw JSON record for a selected egress flow, including source address, destination address, IP version, protocol, and byte count. Useful for confirming exactly what a specific device is sending out of the network.

19 / 34

Ingress Monitoring View

Real-time LAN ingress flow feed with bidirectional arrows and per-flow byte sizes. The same pmacct pipeline captures internal interface traffic separately from the WAN feed, giving a complete picture of what is entering the LAN.

20 / 34

Internal JSON Flow Detail

The raw JSON record for a selected ingress flow. Includes the same fields as egress: source, destination, protocol, and byte count. Useful for identifying which LAN host is the destination of a specific inbound flow.

21 / 34

Flow Filtering Modal

Filter the live flow feed by source address, destination address, protocol, or port to isolate the traffic you are interested in. Helps correlate a firewall log event with the corresponding flow in the accounting feed.

22 / 34

Firewall Configurator

The four-panel firewall configurator covers IP and CIDR blocking, ASN registry lookups, GeoIP country policy, and threat intelligence feed management. Block or pass rules are built here and pushed through the validation pipeline before going live.

23 / 34

Firewall Base Ruleset Viewer

The full base PF ruleset is readable in the interface at any time. This view is read-only: the base ruleset is managed as a file and is not editable through the UI, ensuring the core firewall policy cannot be changed accidentally through a browser session.

24 / 34

Custom Rule Builder

A guided form for writing custom PF rules without editing the config file directly. Rules are syntax-checked against the PF parser before being added to the staging configuration. Currently in active development.

25 / 34

Content Filter Mode Selector

Switch between General, ChildSafe, and Custom filter modes with a single click. The active mode is highlighted and the switch takes effect in the background without dropping connections or requiring a service restart.

26 / 34

Active Threat Intelligence Feeds

The active feed panel shows which lists are loaded for the current filter mode, grouped by category. The Add Custom Feed panel below it accepts any public threat intelligence URL and processes it within seconds of submission.

27 / 34

Content Filter Cron Log

The cron log shows the output of each scheduled feed refresh, including which lists were downloaded, how many domains were processed, and whether the e2guardian reload completed successfully. Useful for confirming that daily updates are running cleanly.

28 / 34

Unbound DNS Statistics

Live Unbound metrics including total queries, cache hit rate, and average response time. Cache purge, selective flush, and cache export controls sit alongside a live DNS lookup test tool, all processed through the privileged queue.

29 / 34

Unbound DNS Reload

The DNS reload operation restarts the Unbound daemon and confirms the new process is accepting queries before reporting success. The entire operation is handled by the root-side manage_unbound.sh daemon, not by the web process.

30 / 34

Unbound DNS Lookup Test

Run a live DNS lookup through the local Unbound resolver directly from the browser. The result shows whether the query was answered from cache or upstream, the resolved address, and the response time. Useful for verifying that a domain block or cache flush has taken effect.

31 / 34

System Integrity Check Overview

TNAudit monitors 19,435 files across 6 categories including system binaries, configuration files, and WebUI assets. The overview shows the last baseline date, total files monitored, and current violation count. Zero violations means the system matches its known-good state.

32 / 34

WebUI Assets Integrity Check

The WebUI assets category shows SHA256 hash validation results for all JavaScript, CSS, and HTML files served by the web server. Any file modified outside of an authorised update will appear here as a violation with the expected and actual hash values.

33 / 34

Project Documentation and User Guide

The built-in documentation covers usage guidelines, a quick reference for every path and service on the system, and a troubleshooting guide. All documentation is served locally from the appliance and is available without an internet connection.

34 / 34

Get started

Ready to take back
control of your network?

Tangent Networks UTM deploys on commodity hardware and can be managed day-to-day by a single IT coordinator. No vendor professional services, no proprietary appliance, no ongoing subscription. Request a demo to see the full management interface running on a live system.

Request a Demo View Screenshots

Self-hosted · OpenBSD-based · No cloud dependency · Deployable on any organisation's hardware

Network security that you actually own.