IP-based firewall for Axion services with geo-blocking, ISP/ASN filtering, honeypot integration, auto-ban, and UFW sync.
Class: ObjFirewall in factory.core/ObjFirewall.py
Inherits: ObjFirewallEdit (extend.edit), ObjData
Table: def_firewall
ObjFirewall provides a multi-layer security pipeline that evaluates incoming requests against allow/deny rules stored in the database. Rules are cached in memory (5 min TTL) for fast lookups without per-request DB queries.
| Layer | Feature | Blocks at |
|---|---|---|
| UFW | sync_to_ufw() |
Network/iptables (before Caddy) |
| Cloudflare | Edge caching + WAF | CDN edge (before origin) |
| ObjFirewall | IP/CIDR deny | Application (before report render) |
| ObjFirewall | Geo deny (country/region) | Application |
| ObjFirewall | ISP/ASN deny | Application |
| ObjFirewall | AbuseIPDB honeypot | Application (auto-ban on score >= 50%) |
| ObjFirewall | Auto-ban from rate limit | Application (24hr expiring DENY) |
| ObjRateLimit | Per-user + per-IP throttle | Application |
| Column | Type | Description |
|---|---|---|
| RuleId | INT AUTO_INCREMENT | Primary key |
| Package | VARCHAR(100) | Package scope or 'ALL' |
| RuleType | CHAR(10) | DENY or ALLOW |
| IpAddress | VARCHAR(50) | Single IP address |
| CidrRange | VARCHAR(50) | CIDR notation (e.g. 10.0.0.0/8) |
| Description | VARCHAR(255) | Human-readable reason |
| Active | CHAR(1) | Y or N |
| Scope | VARCHAR(50) | ALL, WEB, WEBHOOK, API |
| CountryCode | CHAR(2) | ISO 3166-1 alpha-2 country code |
| Region | VARCHAR(100) | Region/state name |
| Isp | VARCHAR(255) | ISP name (contains match) |
| Asn | VARCHAR(50) | ASN identifier (contains match) |
| Source | VARCHAR(50) | Rule origin: manual, autoban:reason, abuseipdb:score |
| CreatedDate | DATETIME | When the rule was created |
| ExpiresDate | DATETIME | Auto-removal time (NULL = permanent) |
Check if an IP is allowed. Returns (True, None) if allowed or (False, reason) if blocked.
Same as check_ip but optionally checks AbuseIPDB. If honeypot=True and score >= threshold, auto-bans the IP.
Add a firewall rule. Use keyword arguments for the rule type you need:
add_rule("DENY", ip_address="1.2.3.4")add_rule("DENY", cidr_range="10.0.0.0/8")add_rule("DENY", country_code="CN")add_rule("DENY", isp="Bad Hosting Co")add_rule("DENY", ip_address="1.2.3.4", expires_hours=24)Auto-create a DENY rule with expiry. Enriches with geo/ISP data from ip-api.com. Called automatically when ObjRateLimit triggers.
Deactivate a rule by ID (soft delete: sets Active='N').
List all active rules for the current package.
Force reload rules from DB on next check.
AbuseIPDB provides a free API for reporting and checking IP addresses. Webmasters, system administrators, and IT professionals use it to report thousands of IP addresses engaging in spamming, hacking, vulnerability scanning, and other malicious activity in real time.
The API allows you to protect your network by checking IP addresses against their database and contribute by submitting malicious IPs you detect. The API is free to use but requires an account.
Important: APIv1 is deprecated. Axion uses APIv2 exclusively.
abuseipdb:
api_key: YOUR_API_KEY
Queries AbuseIPDB APIv2 /api/v2/check endpoint. Returns:
| Field | Type | Description |
|---|---|---|
| score | int | Abuse confidence score (0-100) |
| total_reports | int | Number of reports in last 90 days |
| country | str | Country code |
| isp | str | ISP name |
| domain | str | ISP domain |
| is_tor | bool | Whether IP is a Tor exit node |
| checked | bool | Whether the API call succeeded |
| auto_banned | bool | Whether the IP was auto-banned |
Auto-bans if score >= ABUSEIPDB_THRESHOLD (default 50%). Ban duration is 7x AUTOBAN_DEFAULT_HOURS (default 7 days).
Block by ISP name or ASN using data from ip-api.com (returned alongside geo data). Uses contains-match so partial ISP names work:
fw.add_rule("DENY", isp="DigitalOcean",
description="Block cloud VPS")
fw.add_rule("DENY", asn="AS14061",
description="Block DigitalOcean ASN")
Sync application-layer rules to the host's UFW (iptables) for network-level blocking before traffic reaches Caddy/uvicorn.
Pushes all IP DENY/ALLOW rules to UFW. Returns list of (command, success, output) tuples.
Returns output of ufw status numbered.
Delete a UFW rule by number.
Important: UFW commands require root or sudo. The Axion process must have appropriate permissions.
Provided by ObjFirewallEdit mixin in extend.edit/ObjFirewallEdit.py.
Export all active rules to YAML. Default path: local.documents/backup/<package>/firewall.yaml
Import rules from YAML file. Returns count of rules imported.
package: REFERENCE
firewall_rules:
- rule_type: DENY
ip_address: 1.2.3.4
scope: ALL
description: Known bad actor
- rule_type: DENY
country_code: CN
scope: WEBHOOK
description: Block China webhooks
- rule_type: ALLOW
cidr_range: 10.0.0.0/8
scope: ALL
description: Internal network
ObjReportFirewall in factory.report/package.system/ provides a full CRUD interface:
Access via: /report/DEMO_FIREWALL/
| Constant | Default | Description |
|---|---|---|
_FIREWALL_CACHE_TTL |
300 | Rule cache refresh interval (seconds) |
_GEO_IP_CACHE_MAX |
5000 | Max cached IP geo lookups |
AUTOBAN_DEFAULT_HOURS |
24 | Default auto-ban duration |
ABUSEIPDB_THRESHOLD |
50 | Abuse score that triggers auto-ban |