
	Links: { Chris Lowth's Home Page \| LinWiz \| TCP/IP Connection Cutter \| Protector }

P2Pwall's "FTwall" - 2.02 [Experimental]
Kazaa, WinMX (etc) Blocking with Linux

News: Read about version 1 of this software in the October 2003 Issue of the Linux Journal

Note: This page refers to the experimental version 2 of ftwall. For information and download of the stable version 1, click here

By Chris Lowth
Date 17th December 2003
Home http://p2pwall.sourceforge.net
Status In development / alpha testing

Names

"Ftwall" is short for "Fast Track traffic Firewall".
"Fast track" is the networking protocol used by Kazaa, KazaaLite, iMesh and Grokster.
"Ftwall" is part of the "p2pwall" project, which aims to provide similar mechanisms for other peer-to-peer file sharing protocols in future.
"P2pwall" is short for "Peer-to-peer traffic firewall".
Ftwall version 2 is also capable of blocking WinMX and OpenNAP - and in this, it's name is a historical misnoma.

License

"Ftwall" is released under the terms of the "GNU GENERAL PUBLIC LICENSE" Version 2, June 1991. It comes with all the freedoms and disclaimers normally associated with that license.

    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

The "lhash" library is part of the "OpenSSL" project and is licensed as described in lhash/LICENSE.

    This product includes software developed by the OpenSSL Project
    for use in the OpenSSL Toolkit (http://www.openssl.org/)

    This product includes software written by Eric Young
    (eay@cryptsoft.com).  This product includes software written by Tim
    Hudson (tjh@cryptsoft.com).

Description

Ftwall-2 is an updated version of the original ftwall-1 software which adds new P2p protocols to the set it can control.

Ftwall-2 is an add-on for linux firewalls that allows the control of "Fast Track" peer-to-peer traffic (such as is used by "Kazaa" and it's derivatives), WinMX and others using the OpenNAP protocol.

It is designed to block network traffic from P2P client applications running in the "home" (or "green") network from making access to any peers on the public internet. It is designed primarily for use in networks where the security reigme allows "open access" for outbound connections and "tightly limited" access for inbound ones. Ftwall-2 can be used in networks like this to prevent outbound P2P access from the supported protocols, hence restricting illegal file downloads and uploads.

A Fast track "home network" client that establishes an "outbound" connection is (worryingly) immediately available to accept inbound connections through the established TCP/IP socket - even if the gateway firewall blocks all in-bound connections via "normal" TCP/IP and UDP mechanisms. This is a kind of limited "tunnelling" and gives rise to a number of concerns. Other P2P applications and protocols present similar security challenges. Ftwall solves this (and other) problems for the protocols it understands.

Version 1 of ftwall controlled the Fast Track protocol only (Kazaa et al).

Version 2 of ftwall (the version discussed on this page) adds logic to allow blocking of traffic from WinMX and OpenNap clients using a mechanism based on DNS name wildcards. One simple example is the control of WinMX's native protocol which can be blocked by preventing access to IP addresses resolved from any domain name that ends "winmx.com". OpenNAP is similarly controlled using DNS wildcards to "train" ftwall. See the man page (etc) for these new features by following the links at the bottom of the page.

FTwall-2 runs on Linux-based firewalls using kernel 2.4 (tested with 2.4.20) or later and iptables (test with version 1.2.6). This combination of version numbers is the current set employed by RedHat 8.0 - which is the system on which the software has been developed. The software has also been tested briefly on RedHat 9 and Fedora - but I am awaiting more in-depth news of these and other Linux distributions.

FTwall-2 runs well on the "ipcop" firewall, version 1.3.0 (GPL) with the QUEUE target and string match modules added manually. I believe that it will similarly run on Smoothwall 2 (GPL) although I have not tested this. It will NOT run on Smoothwall 1.0 since this is an "ipchains" based firewall, not an "iptables" one.

P2P Client Software Versions

FTwall-2 has been tested with the following P2P client applications..

Product Versions tested
Kazaa 2.1.1, 2.5-beta2, 2.5.1
Kazaa Lite 2.0.2, K++ 2.4.3
iMesh 4.1 build 132, 4.2 build 138
Grokster 1.7
WinMX 3.31

Please communicate news of tests and results with other software or versions to the "Open discussion" forum - thanks.

What "Blocking" means to ftwall-2

Due to the complexities of the Fast-track protocol (the one that FTwall was originally designed to control); in order to effectively block out-bound Fast track access from "Home" network workstations, ftwall works by blocking ALL outbound connections from any workstations that run a Fast track client while the client is running. If a user starts "Kazaa", he will immediately find that his access to the internet is blocked by the firewall. Internet access will become available again a couple of minutes after closing the Kazaa client software.

Whilst this may appear to be "overkill" - it is actually required in order to allow one of Fast track's "connection modes" from finding a way through the firewall. The author believes that the total lock-out that the user will experience will not be seen as a "problem" to the network managers who are concerned to keep their organisations free from legal action resulting from employees (members, students - what ever) downloading copyrighted material. While this lock-out was not one of FTwall's prime objectives (but a necessary side-effect of the logic it employs), it has proved to be a popular feature of the software, and so has been carried forward into the new release's polisy for blocking the new protocols - WinMX and OpenNAP.

Users should note that "Ftwall" is intended to be a technical backup to formal security policies.

Limitations

Ftwall requires Linux kernel version 2.4, equipped with "iptables" and the "QUEUE" target. The "ip_string" match module of iptables is desirable, but not required.

Ftwall works with the "current" version of the Fast track, WinMX and OpenNAP network protocols at the time of writing (July 2004). It is possible that it will need to be re-worked if the protocols are changed in future.

Ftwall does not block the "SOCKS PROXY" connection option of FastTrack. For a complete lock-down, the firewall must block this style of traffic.

Status - Version 2

Version 2 of ftwall is available for Alpha testing and continued development. This means that it should be considered to be "bleeding edge" experimental software. I am keen to release copies to individuals or organisations who are willing and able to contribute to a successful testing phase, But you should not yet employ it in mission-critical networks.

Making a Donation

Please take a little time (1 to 2 minutes) to make a donation towards the continued development of this software if you download it and find it useful. You can make your donation through the well known and trusted "PayPal" service that is used by eBay (and others) for their payment system.

How much do you suggest that I donate?

If you are willing to make a donation, the sum you donate is down to you, but here are some suggestions (given in US dollars - although you can make your donation in any currency)..

Where you will be using ftwall Suggested donation
Personal / Family network 5 dollars
Charity or Church network Nothing
Educational establishment network (school, college, university, etc) 1 dollar for each workstations/PCs/Laptops connected to the network (suggested minimum: $10).
Public service network (hospital, library, etc) 2 dollars for each workstation/PC/Laptop connected to the network (suggested minimum: $10).
Business network or network provider 2 dollars per workstation/PC/Laptop in your network (suggested minimum: $100).

Please note that these figures are suggestions only - you are free to give more or less that these sums - as you see fit. But please do give the possibilty of donating something (anything) serious thought.

Note to developers / integrators

If you are taking the ftwall sources to include in a project of your own (or redistribute in any form - such as an RPM), then I ask that you refer your users to this site so that they too have the chance to make a donation.

How to make your donation

To make your donation - click on the PayPal button below. Note that; although the figures are quoted in US Dollars, you can make payments from bank accounts held in any country or currency. For those familiar with "eBay" - this is the same payment system that eBay uses - you should be on familar territory.

Downloading Version 2

Please read the GPL License and disclaimer HERE carefully before downloading this software.

IMPORTANT WARNING - PLEASE READ CAREFULLY
If this software is installed incorrectly, or contains "bugs" that cause it to malfunction (I do NOT promise you that it does not contain such "Bugs" or errors), then the security of the firewall on which it is installed may be compromised. The GPL license that grants you permission to use this software underlines the fact that it is supplied to you with NO WARRANTY what so ever - either expressed or implied. The ENTIRE risk of using the software is yours - including the costs of servicing, repair or correction. Because this point is so important to understand - I require you to signify your agreement to it before allowing you to download the software

Signify your agreement to the disclaimer contained in this license by entering your e-mail address in the box below and clicking the "submit" button. You will then be sent instructions on downloading a copy of the software and donating funds to the project. Please take care to get your e-mail address right.

News, Forums and Announcements

Please do NOT e-mail the author directly about this software unless..

you are offering to get involved with the development or testing of the project.
you are offering funding.
you are interested in alternative licenses.

(You will find my e-mail address by following the "Chris Lowth's home page" link at the top of this page).

For all other matters, please use the mailing list and forums..

Annoucements about new releases of this document and software (etc) will be made from time to time in the "comp.os.linux.announce" news group. Keep an eye on this group if you wish to be informed about updates etc.
You can also subscribe to the "p2pwall-announce@sourceforge.net" mailing list. That way you will receive p2pwall annoucements without having to check the news group.
Support and help on the use of this software can be obtained from "Help forum". Post here if you have problems getting it working, but please use the Open discussion forum (below) for requests for new features.
General open discussion (including requests for features and success stories) can be posted to the "Open discussion forum".

P2Pwall's "FTwall" - 2.02 [Experimental]Kazaa, WinMX (etc) Blocking with Linux