Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.suji.fr/llms.txt

Use this file to discover all available pages before exploring further.

The Firewall tab lets you control inbound traffic to your VM’s public IP. The default is restrictive — only SSH (and the dashboard’s control plane) is allowed. Apps reached via the tunnel hostname (<sub>.suji.fr) don’t need firewall rules — they ride Cloudflare Tunnel and never bind a public port.

Inbound rules

Each rule has:
  • DirectionInbound.
  • Protocol — TCP, UDP, or ICMP.
  • Port — a single port (443) or a range (3000-3010). Valid range: 1–65535.
  • Source IPs — one or more IPs or CIDRs. Use 0.0.0.0/0 + ::/0 for “anywhere” (the Any IPv4 / Any IPv6 pills). Use a specific IP / CIDR for “only my office”.
  • Description — free-form text, shows in the rules list.
Add rules with the + Add Rule button next to the section. Each change is committed immediately — no two-stage save.

Outbound rules

Mostly cosmetic — the VM allows outbound traffic by default. Add an outbound rule only if you want to restrict outgoing connections (e.g. deny everything except a specific webhook target).

Pre-managed rules

Two rules are always present and cannot be removed:

Platform rule

Allows the Suji control plane to reach the VM’s guest-agent over a TLS-pinned channel. Removing it would break the dashboard’s Terminal / Files / Logs / Metrics tabs. Locked to Suji’s control-plane egress IP.

Default SSH rule

Open tcp/22 from 0.0.0.0/0. This is a fallback so you don’t lock yourself out by accident. As soon as you add your own inbound TCP/22 rule (e.g. SSH from your office only), this default disappears. You replace it, you don’t delete it.

Provider-blocked ports

Some outbound ports are blocked at the network layer, before any Suji firewall rule. Allowing them in the firewall does nothing.
  • TCP 25 (SMTP) — blocked outbound for anti-spam.
  • TCP 465 (SMTPS) — blocked outbound.
  • TCP 587 (Submission) — open. Use this for outbound mail.
If your app needs to send email, use an authenticated relay on 587 (Postmark, SendGrid, Mailgun, Resend) or an HTTP-API provider.

Common patterns

Most users don’t need this — apps are reached via the tunnel. If you have a non-HTTP service that has to be on the IP, add:
  • Inbound tcp/80 from 0.0.0.0/0 + ::/0
  • Inbound tcp/443 from 0.0.0.0/0 + ::/0
Add an inbound tcp/22 rule with your office’s public IP/CIDR as the source. The default open-world SSH rule disappears once your custom rule lands.
Add the inbound port + protocol with the right source IPs. Use a CIDR (e.g. 10.0.0.0/8) rather than 0.0.0.0/0 for anything sensitive.
Add an inbound udp/<port> rule with that peer’s IP as the source.

Audit

Every rule change shows in the audit log (org-level): who added/removed which rule, when, from which IP.

Next

Network

See the public IPs you’re protecting.

Snapshots

Restore a known-good VM state if a firewall change goes sideways.