
	Links: { Chris Lowth's Home Page \| LinWiz \| Kazaa Blocking 'FTWall' }

FTwall V1 (P2P firewalling with Linux) MAN PAGE

NAME
MORE NAMES
USAGE SUMMARY
DESCRIPTION
LIMITATIONS
OPTION DETAILS
IPTABLES RULES
LICENSE
AUTHOR
PROJECT HOME PAGE
SUPPORTING THE PROJECT

NAME

ftwall - Fast Track Firewall. Control of IP traffic from Kazaa and its clones.

Project home page: http://p2pwall.sourceforge.net

MORE NAMES

``Fast track'' is the networking protocol used by Kazaa, KazaaLite, iMesh and Grokster.

``Ftwall'' is part of the ``p2pwall'' project, which aims to provide similar mechanisms for other peer-to-peer file sharing protocols in future.

``P2pwall'' is short for ``Peer-to-peer traffic firewall''.

USAGE SUMMARY

See the ``OPTION DETAILS'' section for more information on ftwall's options and their meanings.

 ftwall [option(s)]

 -d            debug and stay in foreground
 -s            stay in foreground (default: don't)
 -n            don't block UDP packets (default: do)
 -b number     set socket buffer size (default: 32k)
 -f filename   set name of storefile (default: none)
 -t number     set seconds of timelock. 0 disables (default: 120)
 -c directory  create/delete files here as clients appear/vanish
 -l|L what     set events to log to syslog|stderr (default: none)
                  u (U) : dropped (accepted) UDP packets
                  t (T) : dropped (accepted) TCP/IP packets
                  c     : identified green-network clients
                  p     : identified public-network peers

DESCRIPTION

``Ftwall'' is a program for linux firewalls that allows the control of network traffic from ``Fast Track'' peer-to-peer clients like ``Kazaa'' and it's derivatives.

It is designed to block network traffic from Fast track client applications running in the ``home'' (or ``green'') network from making access to any peers on the public internet. It is ideal for use in networks where the security paradigm is ``open access'' for outbound connections and ``tightly limited'' access for inbound ones. Ftwall can be used in such a network to prevent outbound Fast Track access, hence preventing illegal file downloads and uploads.

Anyone familiar with the technical problems associated with controlling Fast track clients will be aware that a ``home'' client that establishes an ``outbound'' connection is immediately available to accept inbound connections through the established TCP/IP socket - even if the gateway firewall blocks all in-bound connections via ``normal'' TCP/IP and UDP mechanisms. This is a kind of limited ``tunnelling''. Ftwall solves this (and other) problems.

``Ftwall'' runs on Linux-based firewalls using kernel 2.4 (tested with 2.4.20) or later and iptables (tested with version 1.2.6). This combination of version numbers is the set employed by RedHat 8.0 [July 2003] - which is the system on which the software has been developed.

Due to the complexities of the Fast Track protocol; in order to effectively block out-bound Fast track access from ``Home'' network workstations, the ftwall works by blocking ALL outbound connections from any workstations that run a Fast track client while the client is running. If a user starts ``Kazaa'', ``iMesh'' or any other FastTracl client, he will immediately find that his access to the internet is blocked by the firewall. Internet access will become available again a couple of minutes after closing the Kazaa client software.

Whilst this may appear to be ``overkill'' - it is required in order to allow one of Fast track's ``connection modes'' from finding a way through the firewall. The author believes that the total lock-out that the user will experience will not be seen as a ``problem'' to the network managers who are concerned to keep their organisations free from legal action resulting from employees (members, students - what ever) downloading copyrighted material.

``Ftwall'' is intended to be a technical backup to formal security policies.

LIMITATIONS

Ftwall requires Linux kernel version 2.4, equipped with ``iptables'' and the ``QUEUE'' target. The ``ip_string'' match module of iptables is desirable, but not required.

Ftwall works with the ``current'' version of the Fast track network protocol at the time of writing (July 2003). It is possible that it will need to be re-worked if the protocol is changed in future.

Ftwall does not block the ``SOCKS PROXY'' connection option of FastTrack. For a complete lock-down, the firewall must block this style of traffic.

OPTION DETAILS

-b buffer_size: Specifies the size of the netlink socket buffer size used to pass packets from the linux kernel to the ftwall daemon.
-c directory: When a new Fast track client is identified, ftwall creates an empty file in this directory (if specified). The name of the file is the IP addresss of the client. When ftwall finds that the client is no longer running a Fast Track application, the file is deleted. Thus the list of files contained in this directory at any point in time is the list of active Fast Track clients.
-d: Turns on the generation of debug output, written to the standard output device/file of the process. Setting the ``-d'' option automatically sets the ``-s'' option as well (see below).
-f filename: This specifies a file to which the ftwall program will write the addresses of all remote peers that it identifies. The file can then be re-read into memory when the program is next started so that it can continue to block those addresses even if the clients in the home network have entered ``stealth mode''. This option is useful if you anticipate stopping and starting ftwall while Fast track clients are still active.
-l events: Causes the specified list of events to be logged to the ``syslog'' mechanism. The ``events'' is a string of characters that specifies what to log. The following characters are understood..
-L events: This option is identical to ``-l'', except that the events are logged to the ftwall program's standard error (stderr). Using this option also causes the program to stay in the foreground, as if the ``-s'' option had been specified.
-n: Prevents ftwall from blocking the UDP exchanges between the home network fast track clients and peer systems. ftwall continues to block the TCP/IP connections, thus rendering the clients unable to connect, but allows them to collect additional address to try from the peers that respond to the UDP exchange. This means that the clients are not limited to attempting to connect to the 200 peer addresses they last spoke to, but can potentially attempt connections to thousands of systems.
-s: Forces the program to stay running in the foreground. Without this option the process detaches itself from the parent process and runs in the background. When ``-s'' is specified, error messages are displayed on stderr only. Without ``-s'' error messages are logged to syslog and written to stderr until the program puts itself in the background.
-t seconds: This specifies the ``timelock'' time interval. When ftwall identifies a FastTrack packet from a client, it starts a time and blocks all subsequent packets from that IP address until the timer expires. FastTrack typically continually attempts connections which keeps this ``timelock'' active until the P2P software is closed down. Using a low value for this time means that ftwall may eroneously re-allow connection while FastTrack is still active. Using a high value is safer but means that ftwall will take longer to detect that the P2P software has ceased operating.

IPTABLES RULES

The ``INSTALL'' document describes the iptables rules that you should configure in order to pass the relevant packets to ftwall for processing. ``Ftwall'' is very tightly tied to the correct iptables rules being used to pass it the traffic it requires. Errors in iptables rules building will cause it's logic to fail.

LICENSE

``Ftwall'' is released under the terms of the ``GNU GENERAL PUBLIC LICENSE'' Version 2, June 1991. It comes with all the freedoms and disclaimers normally associated with that license.

    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

The ``lhash'' library is part of the ``OpenSSL'' project and is licensed as described in lhash/LICENSE.

    This product includes software developed by the OpenSSL Project
    for use in the OpenSSL Toolkit (http://www.openssl.org/)

    This product includes software written by Eric Young
    (eay@cryptsoft.com).  This product includes software written by Tim
    Hudson (tjh@cryptsoft.com).

Note that (as stated in the GPL license), this software comes with NO WARRANTY what so ever.

AUTHOR

Chris Lowth <chris@lowth.com>

Please don't mail the author directly about this software, unless it is to discuss project funding, direct involvement or alternative license terms. If you wish to discuss the use of this tool, or problems associated with it, please make use of the ``help'' forum, accessed via the project web site (see below).

PROJECT HOME PAGE

Ftwall is part of the ``p2pwall'' project, the home page of which can be found at http://p2pwall.sourceforge.net.

The project includes some public discussion and support forums and an announcements mailing list. The latter is a ``low traffic'' list that is focused on announcing new releases or patches to the software, and will typically deliver no more than a couple of messages a month.

SUPPORTING THE PROJECT

The software is currently issued free of charge. If you find it useful, please consider helping me by using the www.lowth.com website as your gateway to Amazon.com and Amazon.co.uk when you buy books, music, computers etc from them. This costs you nothing extra - but Amazon pay me a small commission on any purchases you make via this route.

Please use the following links..

 * http://www.lowth.com/p2pwall/us-shop (for Amazon.com -- USA and Canadian purchases)
 * http://www.lowth.com/p2pwall/uk-shop (for Amazon.co.uk -- UK and European)

If you are from another location - just choose the one nearest to you.