Links: { Chris Lowth's Home Page | LinWiz | TCP/IP Connection Cutter | Protector }

P2Pwall's "FTwall" - 1.09 [Stable]
Kazaa (etc) Blocking with Linux

News: Read about version 1 of this software in the October 2003 Issue of the Linux Journal
Ftwall-2: Version 2 of the software also blocks WinMX and OpenNAP

Please Note: This page relates to ftwall version 1 (stable), for information and download of the experimental version 2, click here

ByChris Lowth
Date4th July 2004
Homehttp://www.lowth.com/p2pwall
StatusStable

Names

  • "Ftwall" is short for "Fast Track traffic Firewall".
  • "Fast track" is the networking protocol used by Kazaa, KazaaLite, iMesh and Grokster.
  • "Ftwall" is part of the "p2pwall" project, which aims to provide similar mechanisms for other peer-to-peer file sharing protocols in future.
  • "P2pwall" is short for "Peer-to-peer traffic firewall".
  • Ftwall version 2 is also capable of blocking WinMX and OpenNAP - and in this, it's name is a historical misnoma.

License

"Ftwall-1" is released under the terms of the "GNU GENERAL PUBLIC LICENSE" Version 2, June 1991. It comes with all the freedoms and disclaimers normally associated with that license.

    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
The "lhash" library is part of the "OpenSSL" project and is licensed as described in lhash/LICENSE.

    This product includes software developed by the OpenSSL Project
    for use in the OpenSSL Toolkit (http://www.openssl.org/)

    This product includes software written by Eric Young
    (eay@cryptsoft.com).  This product includes software written by Tim
    Hudson (tjh@cryptsoft.com).

Description

"Ftwall-1" is a program for linux firewalls that allows the control of network traffic from "Fast Track" peer-to-peer clients (like "Kazaa" and it's derivatives).

It is designed to block network traffic from Fast Track client applications running in the "home" (or "green") network from making access to any peers on the public internet. It is ideal for use in networks where the security paradigm is "open access" for outbound connections and "tightly limited" access for inbound ones. Ftwall-1 can be used in such a network to prevent outbound Fast Track access, hence preventing illegal file downloads and uploads.

Anyone familiar with the technical problems assoicated with controlling Fast track clients in particular will be aware that a "home" client that establishes an "outbound" connection is immediately available to accept inbound connections through the established TCP/IP socket - even if the gateway firewall blocks all in-bound connections via "normal" TCP/IP and UDP mechanisms. This is a kind of limited "tunnelling". Ftwall-1 solves this (and other) problems.

"Ftwall-1" runs on Linux-based firewalls using kernel 2.4 (tested with 2.4.20) or later and iptables (test with version 1.2.6). This combination of version numbers is the current set employed by RedHat 8.0 - which is the system on which the software has been developed.

Ftwall-1 version 1.09 is also known to run well on RedHat 9 and Fedora core versions 1 and 2.

ftwall-1 runs well on the "ipcop" firewall, version 1.3.0 (GPL) with the QUEUE target and string match modules added manually. I believe that it will similarly run on Smoothwall 2 (GPL) although I have not tested this. It will NOT run on Smoothwall 1.0 since this is an "ipchains" based firewall, not an "iptables" one.

P2P Client Software Versions

FTwall has been tested with the following P2P client applications..

ProductVersions tested
Kazaa2.1.1, 2.5-beta2, 2.5.1
Kazaa Lite2.0.2, K++ 2.4.3
iMesh4.1 build 132, 4.2 build 138
Grokster1.7

Please communicate news of tests and results with other software or versions to the "Open discussion" forum - thanks.

What "Blocking" means to ftwall-1

Due to the complexities of the protocol; in order to effectively block out-bound Fast track access from "Home" network workstations, ftwall-1 works by blocking ALL outbound connections from any workstations that run a Fast track client while the client is running. If a user starts "Kazaa", he will immediately find that his access to the internet is blocked by the firewall. Internet access will become available again a couple of minutes after closing the Kazaa client software.

Whilst this may appear to be "overkill" - it is required in order to allow one of Fast track's "connection modes" from finding a way through the firewall. The author believes that the total lock-out that the user will experience will not be seen as a "problem" to the network managers who are concerned to keep their organisations free from legal action resulting from employees (members, students - what ever) downloading copyrighted material.

"Ftwall-1" is intended to be a technical backup to formal security policies.

Limitations

Ftwall-1 requires Linux kernel version 2.4, equipped with "iptables" and the "QUEUE" target. The "ip_string" match module of iptables is desirable, but not required.

Ftwall-1 works with the "current" version of the Kazaa Fast track network protocol at the time of writing (July 2004). It is possible that it will need to be re-worked if the protocols are changed in future.

Ftwall-1 does not block the "SOCKS PROXY" connection option of FastTrack. For a complete lock-down, the firewall must block this style of traffic.

Status

I have been working on this software for a number of months and has tested it in a limited number of small networks to which I have ready access.

An alpha-test lasting a few weeks, and making use of the input of 20 further testers has been completed. Corrections and enhancements to the software have been made during this time.

A public-access beta test phase started in August 2003 and ran for two months, during which time nearly 900 downloads were taken and no faults were reported.

The software is therefore considered "stable" although there is still room for improvement and the author welcomes input and comments of all sorts.

Making a Donation

Please take a little time (1 to 2 minutes) to make a donation towards the continued development of this software if you download it and find it useful. You can make your donation through the well known and trusted "PayPal" service that is used by eBay (and others) for their payment system.

How much do you suggest that I donate?

If you are willing to make a donation, the sum you donate is down to you, but here are some suggestions (given in US dollars - although you can make your donation in any currency)..

Where you will be using ftwall-1Suggested donation
Personal / Family network5 dollars
Charity or Church networkNothing
Educational establishment network (school, college, university, etc)1 dollar for each workstations/PCs/Laptops connected to the network (suggested minimum: $10).
Public service network (hospital, library, etc)2 dollars for each workstation/PC/Laptop connected to the network (suggested minimum: $10).
Business network or network provider2 dollars per workstation/PC/Laptop in your network (suggested minimum: $100).

Please note that these figures are suggestions only - you are free to give more or less that these sums - as you see fit. But please do give the possibilty of donating something (anything) serious thought.

Note to developers / integrators

If you are taking the ftwall-1 sources to include in a project of your own (or redistribute in any form - such as an RPM), then I ask that you refer your users to this site so that they too have the chance to make a donation.

How to make your donation

To make your donation - click on the PayPal button below. Note that; although the figures are quoted in US Dollars, you can make payments from bank accounts held in any country or currency. For those familiar with "eBay" - this is the same payment system that eBay uses - you should be on familar territory.

Downloading

Please read the GPL License and disclaimer HERE carefully before downloading this software.

IMPORTANT WARNING - PLEASE READ CAREFULLY

If this software is installed incorrectly, or contains "bugs" that cause it to malfunction (I do NOT promise you that it does not contain such "Bugs" or errors), then the security of the firewall on which it is installed may be compromised. The GPL license that grants you permission to use this software underlines the fact that it is supplied to you with NO WARRANTY what so ever - either expressed or implied. The ENTIRE risk of using the software is yours - including the costs of servicing, repair or correction. Because this point is so important to understand - I require you to signify your agreement to it before allowing you to download the software

Signify your agreement to the disclaimer contained in this license by entering your e-mail address in the box below and clicking the "submit" button. You will then be sent instructions on downloading a copy of the software and donating funds to the project. Please take care to get your e-mail address right.

Enter the e-mail address to which download instructions should be sent: Note:
Please make SURE you get your e-mail address right - I cant send you the instructions if ..
  • you give me the wrong address
  • your mailbox is full
  • your mail server blocks my reply!
Check here if you have read the GPL License and disclaimer and you agree with at least sections 11 and 12 (the disclaimer clauses).
If you are willing to make a donation (see above) - please enter an indication of the sum you plan to donate to the project (in US Dollars).$
Then click here to request a copy of the sources (and/or pre-build binary for IPCop-1.3.0)

News, Forums and Announcements

Please do NOT e-mail the author directly about this software unless..
  • you are offering to get involved with the development or testing of the project.
  • you are offering funding.
  • you are interested in alternative licenses.
(You will find my e-mail address by following the "Chris Lowth's home page" link at the top of this page).

For all other matters, please use the mailing list and forums..

  • Annoucements about new releases of this document and software (etc) will be made from time to time in the "comp.os.linux.announce" news group. Keep an eye on this group if you wish to be informed about updates etc.
  • You can also subscribe to the "p2pwall-announce@sourceforge.net" mailing list. That way you will receive p2pwall annoucements without having to check the news group.
  • Support and help on the use of this software can be obtained from "Help forum". Post here if you have problems getting it working, but please use the Open discussion forum (below) for requests for new features.
  • General open discussion (including requests for features and success stories) can be posted to the "Open discussion forum".

Additional documentation

 This page and the software it relates to are Copyright (c) 2003 Chris Lowth, except where indicated explicitly.