Use Mirage firewall unikernel for any/all sys-firewall. Uses as low as 32Mb of memory (and works reasonably with 256Mb) : see here and here.