Embedded IoT host firewall for a constrained RTOS device
An embedded-security vendor needed a compact host firewall that could run on a Cortex-M microcontroller under ThreadX. Joya Systems built the packet-filtering engine, runtime rule provisioning, statistics, replay tests, and rule editor.
Platforms
- ARM Cortex-M
- ThreadX RTOS
- Windows test harness
Services
- Embedded C development
- Packet filtering
- Test harness development
- Rule tooling
The challenge
The target was not a server with spare memory and a full firewall stack. The engine had to run on a constrained embedded device, attach to the NetX packet path, support useful policy matching, and remain testable off-device.
What we built
We built a portable C firewall engine for inbound and outbound packet filtering through the NetX and NetX-BSD IP packet filter hook. Rules used first-match priority and a default allow or drop policy.
The runtime path included packet and drop statistics plus TCP-based rule provisioning for live updates. That gave the product team a practical control plane without turning the embedded target into a heavy management appliance.
For validation, we delivered a Visual Studio replay harness that pushed pcap captures through the engine and a .NET rules editor for authoring, serializing, and uploading policy sets. That made regression testing possible before hardware was in the loop.
Project outcome
- Shipped a packet filter that fit within the device's existing memory budget on a Cortex-M microcontroller under ThreadX/NetX — no added hardware, not a scaled-down server firewall.
- Gave the team a live control plane — runtime rule provisioning plus packet and drop statistics — without a heavy on-device management stack.
- Made regression testing possible before hardware by delivering a pcap replay harness and a .NET rule editor, and kept the engine portable for reuse on later targets.
Technical takeaway
Embedded security work succeeds when the runtime code is small and the test surface is large. The firewall engine was only credible because it shipped with replay and authoring tools.
Working on something similar?
If your team is building in this area — a driver, kernel module, packet path, file system filter, security sensor, or certification plan — start with a technical conversation, not a sales call. Contact Joya Systems and describe the product, platform, and current state of the code.
Related consulting work
Related case studies
- Linux kernel system monitor for file and device activity
- Windows WFP driver for packet policy and traffic collection
Frequently asked questions
Can a real host firewall run on an ARM Cortex-M microcontroller under an RTOS?
Yes. We built a portable C engine that hooks the NetX / NetX-BSD IP packet filter path and applies first-match rules with a default allow or drop policy, sized for a constrained Cortex-M device under ThreadX rather than a full server stack.
How do you test embedded packet-filtering code before the hardware is ready?
We delivered a Visual Studio replay harness that pushes recorded pcap captures through the same engine off-device, plus a .NET editor for authoring and uploading rule sets. That let the team run regression tests and validate policy changes without waiting on hardware.
Case Studies
What our customers say about us?
Read our customer testimonials to find out why our clients keep returning for their projects.
View Testimonials