FTwall is short for Fast Track traffic Firewall, a P2P traffic filtering script, for Kazaa blocking.
Ftwall-2 is an updated version of the original ftwall-1 software which adds new P2p protocols to the set it can control.
Ftwall-2 is an add-on for linux firewalls that allows the control of "Fast Track" peer-to-peer traffic (such as is used by "Kazaa" and it's derivatives), WinMX and others using the OpenNAP protocol.
It is designed to block network traffic from P2P client applications running in the "home" (or "green") network from making access to any peers on the public internet. It is designed primarily for use in networks where the security reigme allows "open access" for outbound connections and "tightly limited" access for inbound ones. Ftwall-2 can be used in networks like this to prevent outbound P2P access from the supported protocols, hence restricting illegal file downloads and uploads.
A Fast track "home network" client that establishes an "outbound" connection is (worryingly) immediately available to accept inbound connections through the established TCP/IP socket - even if the gateway firewall blocks all in-bound connections via "normal" TCP/IP and UDP mechanisms. This is a kind of limited "tunnelling" and gives rise to a number of concerns. Other P2P applications and protocols present similar security challenges. Ftwall solves this (and other) problems for the protocols it understands.
Version 1 of ftwall controlled the Fast Track protocol only (Kazaa et al).
Version 2 of ftwall (the version discussed on this page) adds logic to allow blocking of traffic from WinMX and OpenNap clients using a mechanism based on DNS name wildcards. One simple example is the control of WinMX's native protocol which can be blocked by preventing access to IP addresses resolved from any domain name that ends "winmx.com". OpenNAP is similarly controlled using DNS wildcards to "train" ftwall. See the man page (etc) for these new features by following the links at the bottom of the page.
FTwall-2 runs on Linux-based firewalls using kernel 2.4 (tested with 2.4.20) or later and iptables (test with version 1.2.6). This combination of version numbers is the current set employed by RedHat 8.0 - which is the system on which the software has been developed. The software has also been tested briefly on RedHat 9 and Fedora - but I am awaiting more in-depth news of these and other Linux distributions.
FTwall-2 runs well on the "ipcop" firewall, version 1.3.0 (GPL) with the QUEUE target and string match modules added manually. I believe that it will similarly run on Smoothwall 2 (GPL) although I have not tested this. It will NOT run on Smoothwall 1.0 since this is an "ipchains" based firewall, not an "iptables" one.
FTwall-2 has been tested with the following P2P client applications:
Kazaa 2.1.1, 2.5-beta2, 2.5.1
Kazaa Lite 2.0.2, K++ 2.4.3
iMesh 4.1 build 132, 4.2 build 138
· Ftwall requires Linux kernel version 2.4, equipped with "iptables" and the "QUEUE" target. The "ip_string" match module of iptables is desirable, but not required.
· Ftwall works with the "current" version of the Fast track, WinMX and OpenNAP network protocols at the time of writing (July 2004). It is possible that it will need to be re-worked if the protocols are changed in future.
· Ftwall does not block the "SOCKS PROXY" connection option of FastTrack. For a complete lock-down, the firewall must block this style of traffic.