P2Pwall's "FTwall" - 1.09 [Stable] - Kazaa (etc) Blocking with Linux
- "Ftwall" is short for "Fast Track traffic Firewall".
- "Fast track" is the networking protocol used by Kazaa, KazaaLite, iMesh and Grokster.
- "Ftwall" is part of the "p2pwall" project, which aims to provide similar mechanisms for other peer-to-peer file sharing protocols in future.
- "P2pwall" is short for "Peer-to-peer traffic firewall".
- Ftwall version 2 is also capable of blocking WinMX and OpenNAP - and in this, it's name is a historical misnoma.
"Ftwall-1" is released under the terms of the "GNU GENERAL PUBLIC LICENSE" Version 2, June 1991. It comes with all the freedoms and disclaimers normally associated with that license.
You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
The "lhash" library is part of the "OpenSSL" project and is licensed as described in lhash/LICENSE.
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/) This product includes software written by Eric Young (firstname.lastname@example.org). This product includes software written by Tim Hudson (email@example.com).
"Ftwall-1" is a program for linux firewalls that allows the control of network traffic from "Fast Track" peer-to-peer clients (like "Kazaa" and it's derivatives).
It is designed to block network traffic from Fast Track client applications running in the "home" (or "green") network from making access to any peers on the public internet. It is ideal for use in networks where the security paradigm is "open access" for outbound connections and "tightly limited" access for inbound ones. Ftwall-1 can be used in such a network to prevent outbound Fast Track access, hence preventing illegal file downloads and uploads.
Anyone familiar with the technical problems assoicated with controlling Fast track clients in particular will be aware that a "home" client that establishes an "outbound" connection is immediately available to accept inbound connections through the established TCP/IP socket - even if the gateway firewall blocks all in-bound connections via "normal" TCP/IP and UDP mechanisms. This is a kind of limited "tunnelling". Ftwall-1 solves this (and other) problems.
"Ftwall-1" runs on Linux-based firewalls using kernel 2.4 (tested with 2.4.20) or later and iptables (test with version 1.2.6). This combination of version numbers is the current set employed by RedHat 8.0 - which is the system on which the software has been developed.
Ftwall-1 version 1.09 is also known to run well on RedHat 9 and Fedora core versions 1 and 2.
ftwall-1 runs well on the "ipcop" firewall, version 1.3.0 (GPL) with the QUEUE target and string match modules added manually. I believe that it will similarly run on Smoothwall 2 (GPL) although I have not tested this. It will NOT run on Smoothwall 1.0 since this is an "ipchains" based firewall, not an "iptables" one.
P2P Client Software Versions
FTwall has been tested with the following P2P client applications..
|Kazaa||2.1.1, 2.5-beta2, 2.5.1|
|Kazaa Lite||2.0.2, K++ 2.4.3|
|iMesh||4.1 build 132, 4.2 build 138|
Please communicate news of tests and results with other software or versions to the "Open discussion" forum - thanks.
What "Blocking" means to FTWall 1
Due to the complexities of the protocol; in order to effectively block out-bound Fast track access from "Home" network workstations, ftwall-1 works by blocking ALL outbound connections from any workstations that run a Fast track client while the client is running. If a user starts "Kazaa", he will immediately find that his access to the internet is blocked by the firewall. Internet access will become available again a couple of minutes after closing the Kazaa client software.
Whilst this may appear to be "overkill" - it is required in order to allow one of Fast track's "connection modes" from finding a way through the firewall. The author believes that the total lock-out that the user will experience will not be seen as a "problem" to the network managers who are concerned to keep their organisations free from legal action resulting from employees (members, students - what ever) downloading copyrighted material.
"Ftwall-1" is intended to be a technical backup to formal security policies.
Ftwall-1 requires Linux kernel version 2.4, equipped with "iptables" and the "QUEUE" target. The "ip_string" match module of iptables is desirable, but not required.
Ftwall-1 works with the "current" version of the Kazaa Fast track network protocol at the time of writing (July 2004). It is possible that it will need to be re-worked if the protocols are changed in future.
Ftwall-1 does not block the "SOCKS PROXY" connection option of FastTrack. For a complete lock-down, the firewall must block this style of traffic.
Making a Donation
Please take a little time (1 to 2 minutes) to make a donation towards the continued development of this software if you download it and find it useful. You can make your donation through the well known and trusted"PayPal" service that is used by eBay (and others) for their payment system.
How much do you suggest that I donate?
If you are willing to make a donation, the sum you donate is down to you, but here are some suggestions (given in US dollars - although you can make your donation in any currency)..
|Where you will be using ftwall-1||Suggested donation|
|Personal / Family network||5 dollars|
|Charity or Church network||Nothing|
|Educational establishment network (school, college, university, etc)||1 dollar for each workstations/PCs/Laptops connected to the network (suggested minimum: $10).|
|Public service network (hospital, library, etc)||2 dollars for each workstation/PC/Laptop connected to the network (suggested minimum: $10).|
|Business network or network provider||2 dollars per workstation/PC/Laptop in your network (suggested minimum: $100).|
Please note that these figures are suggestions only - you are free to give more or less that these sums - as you see fit. But please do give the possibilty of donating something (anything) serious thought.
Note to developers / integrators
If you are taking the ftwall-1 sources to include in a project of your own (or redistribute in any form - such as an RPM), then I ask that you refer your users to this site so that they too have the chance to make a donation.
How to make your donation
To make your donation - click on the PayPal button below. Note that; although the figures are quoted in US Dollars, you can make payments from bank accounts held in any country or currency. For those familiar with "eBay" - this is the same payment system that eBay uses - you should be on familar territory.
Please read the GPL License and disclaimer HERE carefully before downloading this software.
If this software is installed incorrectly, or contains "bugs" that cause it to malfunction (I do NOT promise you that it does not contain such "Bugs" or errors), then the security of the firewall on which it is installed may be compromised. The GPL license that grants you permission to use this software underlines the fact that it is supplied to you with NO WARRANTY what so ever - either expressed or implied. The ENTIRE risk of using the software is yours - including the costs of servicing, repair or correction.
News, Forums and Announcements
Please do NOT e-mail the author directly about this software unless..
- you are offering to get involved with the development or testing of the project.
- you are offering funding.
- you are interested in alternative licenses.
(You will find my e-mail address by following the "Chris Lowth's home page" link at the top of this page).
For all other matters, please use the mailing list and forums..
- Annoucements about new releases of this document and software (etc) will be made from time to time in the "comp.os.linux.announce" news group. Keep an eye on this group if you wish to be informed about updates etc.
- You can also subscribe to the "firstname.lastname@example.org" mailing list. That way you will receive p2pwall annoucements without having to check the news group.
- Support and help on the use of this software can be obtained from "Help forum". Post here if you have problems getting it working, but please use the Open discussion forum (below) for requests for new features.
- General open discussion (including requests for features and success stories) can be posted to the "Open discussion forum".
- The ftwall version 1 manual page.
- INSTALL Document for version 1
- Adding the "String match" module of iptables to your linux kernel
- Installing FTWALL version 1 in IPCop 1.3.0 (GPL) firewalls
- [EXTERNAL] Ftwall Implementation for Smoothwall 2.0 (Howto and download)
- [EXTERNAL] Using FTWall with Shorewall
- [EXTERNAL] Linux Journal: Securing your network against Kazaa