Introduction Download Demo Documentation Mailing lists Patches |
What is DAXFi
DAXFi is a Python package that helps configure several different
kinds of firewalls in a consistent way.
The rules can be described with XML files, XML strings, or generated directly by the code. It comes with a Python package, useful to build other applications aimed to manipulate different firewalls in a homogeneous way and includes some useful example programs. |
Subscribe to DAXFi (with Freshmeat) |
Development notice
Developers required! Required skills: Python, C, firewalling concepts, basic XML, a little of knowledge of various operating systems' kernel (Linux, *BSD, Solaris, etc.) on different architectures (i386, powerPC, Alpha, etc.) could help. Things to do: create a distutils setup.py file, clean the code, support other firewalls (ipfw, pf, etc.), write a XML schema. See also the TODO.txt. Contact me: if you're seriously interested, mail me at alberanid@libero.it or, even better, subscribe the daxfi-devel mailing list. |
|
Supported firewalls
|
|
What's new (25 Apr 2007) This is a version with every patch applied; only the tar.gz is available.
|
If you are a developer:
If you are a user or a system/network administrator, you can use one of the programs already available:
DAXFi is actually hosted on SourceForge; you can read the project summary here:
http://sourceforge.net/projects/daxfi/
DAXFi's page on Freshmeat is here: http://freshmeat.net/projects/daxfi/
Demo | Description | source |
DAXFi demo | Create firewall rules on the fly. | daxfidemo-0.1.tar.gz |
<?xml version='1.0'?> <!-- Accept and log packets incoming from IP addresses '192.196.1.0/24', on interface 'le1' directed to TCP port '80' --> <append> <rule direction='in' source-ip='192.196.1.0/24' interface='le1'> <tcp destination-port='80' /> <accept /> <log /> </rule> </append> |
You can see the resulting command for a given firewall using the daxfixmlfile script.
If you're using ipchains, the resulting command will be:
ipchains -A input -j ACCEPT -l --destination-port 80 -p 6 --interface le1 --source 192.196.1.0/255.255.255.0
With iptables, two distinct commands are created and run:
iptables -A INPUT -p 6 -j LOG --destination-port 80 --in-interface le1 --source 192.196.1.0/255.255.255.0
iptables -A INPUT -p 6 -j ACCEPT --destination-port 80 --in-interface le1 --source 192.196.1.0/255.255.255.0
For ipfwadm:
ipfwadm -a accept -I -S 192.196.1.0/255.255.255.0 -D 0.0.0.0/0.0.0.0 80 -o -P tcp -W le1
And with ipfilter:
pass in log quick on le1 proto 6 from 192.196.1.0/255.255.255.0 to 0.0.0.0/0.0.0.0 port = 80