DAXFi is a Python package that helps configure several different
kinds of firewalls in a consistent way.
The rules can be described with XML files, XML strings,
or generated directly by the code.
It comes with a Python package, useful to build other
applications aimed to manipulate different firewalls in a
homogeneous way and includes some useful example programs.
Subscribe to DAXFi (with Freshmeat)
DAXFi is not actively developed since about three years, now.
On 25 April 2007 I've released version 1.1, with the latest patches applied, so that it could work with recent Python versions.
If you want to revive this project, I'll be glad to add you to the developers list.
Required skills: Python, C, firewalling concepts, basic XML, a little of knowledge of various operating systems' kernel (Linux, *BSD, Solaris, etc.) on different architectures (i386, powerPC, Alpha, etc.) could help.
Things to do: create a distutils setup.py file, clean the code, support other firewalls (ipfw, pf, etc.), write a XML schema. See also the TODO.txt.
Contact me: if you're seriously interested, mail me at firstname.lastname@example.org or, even better, subscribe the daxfi-devel mailing list.
(25 Apr 2007)
This is a version with every patch applied; only the tar.gz is available.
How can you use DAXFi?
If you are a developer:
- maybe you need to develop an application
to manage a firewall, and you want to stay independent from the
syntax of a specific tool: you can import the daxfi Python package from
your program, instantiate an object of the Firewall class and then use this
object to create new rules (from XML files, XML strings or using methods of
Then you can execute these rules, see which rules are already
running on your system, compare two rules and so on.
Download DAXFi and read the documentation.
If you are a user or a system/network administrator, you can use one
of the programs already available:
- with the daxfictl script you can add and remove firewall
rules from the command line: you can rapidly grant or deny access to defined
addresses; the script is smart enough to refuse to run a rule that already
- if you have a set of rules already running on your system, you can use the
daxfidump script to obtain the equivalent set of XML files.
- with daxfixmlfile you can write your rules in XML files, and
then use this script to generate/run the commands for your firewall.
- if you are connected via a dial-up, you can use daxfid:
it's a script that helps configure a firewall for a dial-up system, and
can run as daemon to adapt its behavior to external conditions (note:
daxfid is a quite big and complex program, if you're new to DAXFi try
playing with other scripts, first).
You can download DAXFi from
DAXFi is actually hosted on SourceForge; you can read the project summary here:
DAXFi's page on Freshmeat is here: http://freshmeat.net/projects/daxfi/
A demo cgi created using DAXFi.
DAXFi comes with a huge amount of documentation; here you can find only
what can be useful as introduction to DAXFi.
<!-- Accept and log packets incoming from IP addresses '126.96.36.199/24',
on interface 'le1' directed to TCP port '80' -->
<rule direction='in' source-ip='188.8.131.52/24' interface='le1'>
<tcp destination-port='80' />
You can see the resulting command for a given firewall using the
If you're using ipchains, the resulting command will be:
ipchains -A input -j ACCEPT -l --destination-port 80 -p 6 --interface le1 --source 184.108.40.206/255.255.255.0
With iptables, two distinct commands are created and run:
iptables -A INPUT -p 6 -j LOG --destination-port 80 --in-interface le1 --source 220.127.116.11/255.255.255.0
iptables -A INPUT -p 6 -j ACCEPT --destination-port 80 --in-interface le1 --source 18.104.22.168/255.255.255.0
ipfwadm -a accept -I -S 22.214.171.124/255.255.255.0 -D 0.0.0.0/0.0.0.0 80 -o -P tcp -W le1
And with ipfilter:
pass in log quick on le1 proto 6 from 126.96.36.199/255.255.255.0 to 0.0.0.0/0.0.0.0 port = 80
Obviously the code is still quite immature and many improvements
are needed: take a deep
look at the rules that DAXFi will generate.
If you are (or if you want to become) a user of DAXFi you can post questions,
problems and suggestions to the
If you are interested in the development of DAXFi, you can join the
mailing list (or you can read the
You can also read the TODO list
Moreover, fell free to contact me at: