![[DAXFi - The Dynamic XML Firewall]](daxfi.png "DAXFi - The Dynamic XML Firewall")
|
Introduction Download Demo Documentation Mailing lists Patches |
|
What is DAXFi
DAXFi is a Python package that helps configure several different
kinds of firewalls in a consistent way.
The rules can be described with XML files, XML strings, or generated directly by the code. It comes with a Python package, useful to build other applications aimed to manipulate different firewalls in a homogeneous way and includes some useful example programs. |
Subscribe to DAXFi (with Freshmeat) |
|
Development notice
Developers required! Required skills: Python, C, firewalling concepts, basic XML, a little of knowledge of various operating systems' kernel (Linux, *BSD, Solaris, etc.) on different architectures (i386, powerPC, Alpha, etc.) could help. Things to do: create a distutils setup.py file, clean the code, support other firewalls (ipfw, pf, etc.), write a XML schema. See also the TODO.txt. Contact me: if you're seriously interested, mail me at alberanid@libero.it or, even better, subscribe the daxfi-devel mailing list. |
|
|
Supported firewalls
|
|
|
What's new (25 Apr 2007) This is a version with every patch applied; only the tar.gz is available.
|
Introduction
How can you use DAXFi?If you are a developer:
- maybe you need to develop an application
to manage a firewall, and you want to stay independent from the
syntax of a specific tool: you can import the daxfi Python package from
your program, instantiate an object of the Firewall class and then use this
object to create new rules (from XML files, XML strings or using methods of
this object).
Then you can execute these rules, see which rules are already running on your system, compare two rules and so on.
Download DAXFi and read the documentation.
If you are a user or a system/network administrator, you can use one of the programs already available:
- with the daxfictl script you can add and remove firewall rules from the command line: you can rapidly grant or deny access to defined addresses; the script is smart enough to refuse to run a rule that already exists.
- if you have a set of rules already running on your system, you can use the daxfidump script to obtain the equivalent set of XML files.
- with daxfixmlfile you can write your rules in XML files, and then use this script to generate/run the commands for your firewall.
- if you are connected via a dial-up, you can use daxfid: it's a script that helps configure a firewall for a dial-up system, and can run as daemon to adapt its behavior to external conditions (note: daxfid is a quite big and complex program, if you're new to DAXFi try playing with other scripts, first).
Download
You can download DAXFi from http://sourceforge.net/project/showfiles.php?group_id=28520
DAXFi is actually hosted on SourceForge; you can read the project summary here:
http://sourceforge.net/projects/daxfi/
DAXFi's page on Freshmeat is here: http://freshmeat.net/projects/daxfi/
Demo
A demo cgi created using DAXFi.
| Demo | Description | source |
| DAXFi demo | Create firewall rules on the fly. | daxfidemo-0.1.tar.gz |
Documentation
DAXFi comes with a huge amount of documentation; here you can find only what can be useful as introduction to DAXFi.
Tutorials and other texts
- How to write XML rules for DAXFi: here you can find a complete description of DAXFi's XML and many examples.
- daxfifw_0.5.dtd [HTML version]:
DAXFi defines firewall rules with XML; this DTD describes the
syntax and the grammar of the XML.
Note: this DTD is still a work in progress: feel free to submit any suggestion to me (see the Mailing list section).
XML rule example
<?xml version='1.0'?>
<!-- Accept and log packets incoming from IP addresses '192.196.1.0/24',
on interface 'le1' directed to TCP port '80' -->
<append>
<rule direction='in' source-ip='192.196.1.0/24' interface='le1'>
<tcp destination-port='80' />
<accept />
<log />
</rule>
</append>
|
You can see the resulting command for a given firewall using the daxfixmlfile script.
If you're using ipchains, the resulting command will be:
ipchains -A input -j ACCEPT -l --destination-port 80 -p 6 --interface le1 --source 192.196.1.0/255.255.255.0
With iptables, two distinct commands are created and run:
iptables -A INPUT -p 6 -j LOG --destination-port 80 --in-interface le1 --source 192.196.1.0/255.255.255.0
iptables -A INPUT -p 6 -j ACCEPT --destination-port 80 --in-interface le1 --source 192.196.1.0/255.255.255.0
For ipfwadm:
ipfwadm -a accept -I -S 192.196.1.0/255.255.255.0 -D 0.0.0.0/0.0.0.0 80 -o -P tcp -W le1
And with ipfilter:
pass in log quick on le1 proto 6 from 192.196.1.0/255.255.255.0 to 0.0.0.0/0.0.0.0 port = 80
Notes
Obviously the code is still quite immature and many improvements are needed: take a deep look at the rules that DAXFi will generate.
Mailing lists
Users support
If you are (or if you want to become) a user of DAXFi you can post questions, problems and suggestions to the Open Discussion and Help forums.
Development
If you are interested in the development of DAXFi, you can join the daxfi-devel mailing list (or you can read the archives).You can also read the TODO list.
Moreover, fell free to contact me at: alberanid@libero.it
|
|
|
|
|
|