FTWALL - Fast Track Firewall for IPtables
-----------------------------------------

By:   Chris Lowth <chris@lowth.com>
Date: 24 June 2004
Home: http://www/lowth.com/p2pwall


-- NAME

"Ftwall" is short for "Fast Track Firewall".

"Fast track" is the networking protocol used by Kazaa, KazaaLite, iMesh
and Grokster.

"Ftwall" is part of the "p2pwall" project, which aims to provide similar
mechanisms for other peer-to-peer file sharing protocols in future.

"P2pwall" is short for "Peer-to-peer traffic firewall".


-- LICENSE

"Ftwall" is released under the terms of the "GNU GENERAL PUBLIC LICENSE"
Version 2, June 1991. It comes with all the freedoms and disclaimers
normally associated with that license.

    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

The "lhash" library is part of the "OpenSSL" project and is licensed
as described in lhash/LICENSE.

    This product includes software developed by the OpenSSL Project
    for use in the OpenSSL Toolkit (http://www.openssl.org/)

    This product includes software written by Eric Young
    (eay@cryptsoft.com).  This product includes software written by Tim
    Hudson (tjh@cryptsoft.com).


-- DESCRIPTION

"Ftwall" is a program for linux firewalls that allows the control of
network traffic from "Fast Track" peer-to-peer clients like "Kazaa" and
it's derivatives.

It is designed to block network traffic from Fast track client
applications running in the "home" (or "green") network from making
access to any peers on the public internet. It is ideal for use in
networks where the security paradigm is "open access" for outbound
connections and "tightly limited" access for inbound ones. Ftwall can be
used in such a network to prevent outbound Fast Track access, hence
preventing illegal file downloads and uploads.

Anyone familiar with the technical problems assoicated with controlling
Fast track clients will be aware that a "home" client that establishes
an "outbound" connection is immediately available to accept inbound
connections through the established TCP/IP socket - even if the gateway
firewall blocks all in-bound connections via "normal" TCP/IP and UDP
mechanisms. This is a kind of limited "tunnelling". Ftwall solves this
(and other) problems.

"Ftwall" runs on Linux-based firewalls using kernel 2.4 (tested with
2.4.20) or later and iptables (test with version 1.2.6). This
combination of version numbers is the current set employed by RedHat 8.0
- which is the system on which the software has been developed.

ftwall runs well on the "ipcop" firewall, version 1.3.0 (GPL). I believe
that it will run on Smoothwall 2 (GPL) although I have not tested this.
It will NOT run on Smoothwall 1.0 since this is an "ipchains" based
firewall, not an "iptables" one.

The home web site contains (or: will contain) documents that describe
the reasons why a new program is required in order to allow "iptables"
to block Fast Track - and may even suggest some alternative approaches
(in time).

Full details of the clients which have been tested with this software
can be found on the p2pwall web site.


-- WHAT "BLOCKING" MEANS TO FTWALL

Due to the complexities of the Fast Track protocol; in order to
effectively block out-bound Fast track access from "Home" network
workstations, the ftwall works by blocking ALL outbound connections from
any workstations that run a Fast track client while the client is
running. If a user starts "Kazaa", he will immediately find that his
access to the internet is blocked by the firewall. Internet access will
become available again a couple of minutes after closing the Kazaa
client software.

Whilst this may appear to be "overkill" - it is required in order to
allow one of Fast track's "connection modes" from finding a way through
the firewall. The author believes that the total lock-out that the user
will experience will not be seen as a "problem" to the network managers
who are concerned to keep their organisations free from legal action
resulting from employees (members, students - what ever) downloading
copyrighted material.

"Ftwall" is intended to be a technical backup to formal security
policies.


-- LIMITATIONS

Ftwall requires Linux kernel version 2.4, equipped with "iptables" and
the "QUEUE" target. The "ip_string" match module of iptables is
desirable, but not required,

Ftwall works with the "current" version of the Fast track network
protocol at the time of writing (July 2003). It is possible that it will
need to be re-worked if the protocol is changed in future.

Ftwall does not block Fast Track traffic transmitted via a SOCKS Proxy.
For full fast-track protection you should configure your firewall to
block SOCKS proxy traffic as well. At the time of writing, the p2pwall
project does not include a HOWTO on SOCKS Proxy traffic control, but
check the web site from time to time since one may appear there soon.


-- STATUS

Version 1.00 of "ftwall" was the first version to be released for public
use. The author has been working on this software for a couple of months
and has tested it in a limited number of networks to which he has ready
access.

Later versions contain fixes and enhancements - see the HISTORY file for
fuller details.

You should currently treat this software as "experimental" - and report
the results of any trials you carry out to the "open discussion" forum
accessed through the web site.


-- SUPPORTING THE PROJECT

If you find this software useful, please consider making a donation via
"PalPal" (http://www.lowth.com/p2pwall/donate) or using the author's
home page as your gateway to Amazon.com or Amazon.co.uk when buying
books, music, electronics, toys, computer software etc on line. This
costs you nothing extra, but the author gets a small commission on
anything you purchase in this way. The URLs to use are..

	http://www.lowth.com/p2pwall/us-shop  (For USA and Canada)
	http://www.lowth.com/p2pwall/uk-shop  (For UK and Europe)

Simply choose the one nearest to where you live or work. Thanks
