1. Description
PHPFirewall is a tool to allow/block connections to your web resource using IP address. The IP address details are either retrieved from local database or by making API calls to IP2Location.io
A typical network firewall is placed at the perimeter level of the network, before the internet router, to filter any incoming or outgoing traffic. Over the years, firewalls have advanced from not just being a layer 3/4 networking devices to expecting packets and then depending on the policy drop the packet or stream of packets coming from a particular source.
PHPFirewall application does not do any layer 7 (application layer) inspection. It is a simple firewall that can be placed between the internet and the web resource that you want to protect. It can be deployed on the same server or can hang somewhere in the network as a firewall on a stick to process requests coming from multiple web server applications.
The main idea was to make use of the IP2Location API information to allow/block traffic coming from a specific country or a state or a city, without the need of adding all IP addresses in the database. In addition of filtering geographically defined addresses, you can make use of this firewall locally, to filter traffic within your network as per Host or network addresses.
With a layer 3 firewall, the device (like cisco ASA, juniper firewall, etc)/software (like iptables on linux) acts as a firewall. With PHPFirewall, your resource entry point becomes the firewall and as per the filters defined on PHPFirewall, your script, which can be index.php or any php file, blocks/allows connections. See the following diagram:
Shown above is a simple example on how you would be placing the PHPFirewall application in terms of your network. As mentioned in the detailed description, your application acts as a firewall and PHPFirewall just stores the filters that you define and as per those filters it suggests if the IP is allowed or blocked.
The whole idea of this application came around because of what Ip2location provides in their services. Their database can be as basic as IP2Location™ IP-Country Database (DB1) or can be as complex as IP2Location™ IP-Country-Region-City-Latitude-Longitude-ZIPCode-TimeZone-ISP-Domain-NetSpeed-AreaCode-Weather-Mobile-Elevation-UsageType-AddressType-Category-District-ASN Database (DB26).
For our PHPFirewall functionality, we need maximum of IP2Location™ IP-Country-Region-City Database (DB3) as we do not need Timezone or Latitude or Longitude functionality.
In addition to the above databases, ip2location also provide LITE version of database which you can use for lookups, just that the database is updated on weekly/monthly basis.
Since ip2location launched their new ip2location.io API services website, the need of importing their full or LITE database is no longer required. But, you can still use the binary version of database as a secondary method for IP2Location lookup.
PHPFirewall provides you the flexibility to set the primary lookup method. It can either be pointing to the new ip2location.io API service or you can download the binary file (.BIN) via PHPFirewall CLI Tool to do the lookups. Regardless of the primary lookup set, if keys are provided for ip2location.io service, PHPFirewall will automatically fallback to the API service if primary lookup (.bin) file fails and vice versa.
NOTE: Depending on the popularity of this application, I might implement the need of more ip2location (.BIN) database type in the future. For now, you can implement the ip2location.io service for a full lookup.