Skip to main content

Rules Engine vs Traditional Firewalls

How is the rules engine different from traditional firewalls?

The rules engine and traditional firewalls serve complementary purposes and should be used together as part of a defense-in-depth strategy.

Key Differences

Location of Enforcement

  • Rules Engine: Distributed - runs on every ZeroTier node
  • Traditional Firewall: Centralized - runs at network perimeter or on individual hosts

What They See

  • Rules Engine: Sees decrypted virtual network traffic between ZeroTier nodes
  • Traditional Firewall: Sees only encrypted ZeroTier packets (UDP/IP), not the virtual network traffic inside

Mobility

  • Rules Engine: Policies travel with devices wherever they go
  • Traditional Firewall: Policies are location-specific

Configuration

  • Rules Engine: Managed centrally through ZeroTier Central
  • Traditional Firewall: Managed on each firewall appliance or host

Using Both Together

The rules engine and traditional firewalls work at different layers and complement each other:

Use Traditional Firewalls For:

  • Controlling access to the physical network
  • Blocking malicious traffic before it reaches your device
  • Protecting services running on physical interfaces
  • General host security and endpoint protection

Use the Rules Engine For:

  • Controlling which ZeroTier devices can communicate with each other
  • Limiting virtual network traffic to specific protocols or ports
  • Micro-segmenting your virtual network by device role
  • Implementing zero-trust access policies within your virtual network

Example Scenario

You have a web server on your ZeroTier network:

  • Host firewall: Blocks all incoming connections on physical interfaces except SSH
  • Rules engine: Allows only your team's devices to access the web server (port 443) over ZeroTier
  • Network firewall: Protects the physical network perimeter

If someone compromises your physical network, the host firewall protects your server. If someone joins your ZeroTier network without authorization, the rules engine prevents them from accessing the server. All three layers work together for comprehensive security.

tip

Think of the rules engine as an application-layer firewall for your virtual network, not a replacement for traditional network and host security.