Internal Firewall

The Internal Firewall Add-On provides an additional layer of protection for your FusionInvoice installation by integrating with Cloudflare.

This module can:

Automatically detect repeated suspicious requests
Temporarily ban abusive IP addresses
Permanently ban IPs
Whitelist trusted IPs
Instantly ban visitors accessing specific URLs

⚠️ This add-on does not replace a proper server-level firewall. It is designed as an additional protection layer.

Requirements

Before enabling the Internal Firewall:

Your domain must be configured and proxied through Cloudflare.
You must have your Cloudflare Zone ID.
You must create a Cloudflare API Token with firewall rule permissions.

Without Cloudflare properly configured, this add-on will not function.

Before you Begin

The Add-on must be installed and enabled before you can use it.

Step 1: Obtain Cloudflare Credentials

Find Your Zone ID

Log into your Cloudflare dashboard.
Select your domain.
Locate the Zone ID in the right-hand sidebar.
Copy the Zone ID.

Create an API Token

Go to Cloudflare → My Profile → API Tokens.
Click Create Token.
Use a template or create a custom token with permissions to manage firewall rules.
Restrict the token to your specific zone.
Copy the generated API token.

⚠️ Store your API token securely. It grants access to firewall management.

Step 2: Configure Internal Firewall

Navigate to:
Settings → Internal Firewall

Main Configuration Fields

Internal Firewall: Enable or Disable the system.
Cloudflare API Token: Paste your API token.
Cloudflare Zone ID: Paste your Zone ID.
Number of Strikes Before Banning: How many violations are allowed before a ban.
Strikes Timeframe: The time window for counting strikes (e.g., 1 minute).
Ban Time Length: How long the temporary ban remains active.

Save Configuration

Enter all required fields.
Click Verify and Save.

The system will verify your Cloudflare credentials before saving.

How Automatic Strike-Based Banning Works

When a visitor repeatedly triggers suspicious behavior:

The system records a strike.
If strikes exceed the configured threshold within the timeframe,
The IP address is banned via Cloudflare.
The ban remains active for the configured duration.

This helps protect against:

Permanently Banned Tab

The Permanently Banned tab lists IP addresses that have been permanently blocked.

Columns include:

IP Address
Location
Bad URL (if applicable)
Ban Status
Banned Until
Notes

You may remove or manage banned IPs using the Options dropdown.

Whitelist Tab

The Whitelist tab allows you to exempt IP addresses from automatic banning.

To Add a Whitelisted IP

Click + New.
Enter the IP address.
Add an optional note.
Save.

Whitelisted IPs will never be automatically banned. This is useful for:

Office IP addresses
Developers
Trusted partners

Instant Bans Tab

The Instant Bans feature allows you to immediately ban any visitor who accesses a URL containing specific words.

How It Works

Enter comma-separated words in the Instant Bans field.

.env, wp-admin, spam, fraud

If a visitor attempts to access a URL containing any of those words, their IP address is automatically banned.

To Configure

Enter words separated by commas.
Click Save.

Use this feature to block:

Common bot attack paths
WordPress probes (wp-admin, wp-login)
Environment file scans (.env)
Known malicious patterns

Refreshing and Managing Records

Use the refresh button in each tab to update the list of IP addresses.

All bans are synchronized with Cloudflare.

Troubleshooting

Firewall Not Working

Verify domain is properly proxied through Cloudflare.
Confirm Zone ID is correct.
Confirm API token has proper permissions.
Click Verify and Save again.

IP Not Being Banned

Check strike threshold settings.
Confirm IP is not whitelisted.
Verify Instant Ban keywords are correct.

Accidentally Banned Yourself

Access Cloudflare directly.
Remove the firewall rule.
Add your IP to the whitelist in FusionInvoice.

Important Notes

This add-on requires active Cloudflare DNS proxy (orange cloud enabled).
Cloudflare API credentials are required for all firewall operations.
The Internal Firewall is an additional layer and should not replace server-level protections.

Installation

Email Setup

Task Scheduler

Upgrading

Adding a Client

Client Types

Lead Sources

Contacts

Localization Settings

Parent and Child Accounts

Notes

Client Settings

Emailing a Client

Creating a Quote

Sending a Quote

Converting a Quote Into an Invoice

Copying a Quote

Attaching Files to a Quote

Creating an Invoice

The Invoices List Screen

Emailing an Invoice

Entering a Payment

Copying an Invoice

Attaching Files to an Invoice

How Are QR Codes Used?

How Do Subscriptions Work?

Creating a Subscription

Copying a Subscription

Entering a Payment

Enabling Online Payments

Getting Your PayPal REST API keys

How Do Clients Pay Their Invoice Online?

Credit Memos and Pre-Payments

Entering an Expense

Billing an Expense to the Client

Copying an Expense

How to See Your Profit and Loss

What is the Dashboard?

Navigation Menu

Most Recently Used List

Recent Client Activity Widget

Task List Widget

Changing the Dashboard Layout and Widgets

KPI Cards

Creating a New User

Types of Users

Permissions

User Profiles

System User

Search

Tags

Filtering

System Settings

Dashboard Options

Payment Terms

Company Profiles

Payment Methods

Tax Rates

Item Lookups and Categories

Expense Vendors and Categories

Currencies

User Accounts

Custom Fields

Utilities and Logs

Importing Files

File Requirements and Templates

Setting Up Multiple Currencies

Time Tracking

Sales Commissions

ProForma Invoices

E-Invoicing

SMS

Internal Firewall

Purchase Orders

Add-On Installation

Creating Logins for Clients

Client Statement

Expense List

Item Sales

Payments Collected