Freenet 0.5 is now in maintenance mode. Freenet 0.6 is deprecated. All major development is occurring on 0.7. Fred 0.5 ======== "It's kind of a mix of Usenet, the Web, and a RAID disk system, all fudged up into a super-crypto wet dream" - The PigDog Journal 1. Blame -------- 1.1 People ---------- Many people have contributed to the current codebase and it is impossible to list all of them, but those most likely to complain if they aren't included here are: Ian Clarke - Project Founder, Coordinator, and Egomaniac Tavin Cole - Core Developer and Probable NSA Mole Gianni Johansson - Core Developer and Womanizer Scott Miller - Crypto Guru and Alcohol Lightweight Matthew Toseland - Core Developer and Project Amphibian Oskar Sandberg - Core Developer and Project Grouch 1.2 Copyright ------------- (c) Copyright 1999-2002 The Freenet Project Inc Released under the GNU Public License Version 2. 2. Introduction --------------- Fred (FREenet Daemon) is the reference Java implementation of the Freenet Protocol. Freenet is an architecture designed to permit true freedom of communication over the Internet. The system is designed to be used in conjunction with one or more Freenet clients, and depending on the client, can look like the World Wide Web, a Usenet server, or a file-sharing application. FProxy, a web interface to Freenet, is included. See http://freenetproject.org/ for more information (and source code if you don't have it already). This software was brought to you by the letter P, and several randomly chosen large prime numbers. 3. Running Freenet ---------------- 3.1 Requirements ---------------- Freenet requires a Java Runtime Environment to be installed prior to use. Due to bugs in the current release version of Kaffe, and IBM's Java Runtime Environment, we strongly suggest that you use the latest version of Sun's Java Runtime Environment for your platform (see http://java.sun.com/). If you want to use fproxy, we STRONGLY recommend you use a web browser that doesn't ignore MIME types... Firefox and Konqueror are OK, Internet Explorer will seriously jeopardize your anonymity. Freenet also requires that your system clock is within a few minutes of the actual time. ---------------------------- 3.1.1 Dealing with firewalls ---------------------------- For a Freenet node to work correctly, other Freenet nodes must be able to open connections to it, and normally NATs or Firewalls will prevent this. If you are behind a NAT or firewall you must do several things: 1) When Freenet asks you for your computer's IP address (ie. the ipAddress setting in the freenet.conf file), you should give the external address of your NAT or firewall. This will be under "expert" because freenet can now auto-detect the IP address of most non-firewalled nodes. 2) After you have completed the steps in section 3.2, you should check the listenPort setting in your freenet.conf file. 3) Configure your NAT or firewall to forward incoming TCP connections on this port to your computer (see your NAT or firewall's manual for instructions on how to do this). 3.2 Starting Freenet -------------------- On *NIX Type: > sh start-freenet.sh To run Freenet. The first time you run it it will ask you some questions to create a configuration file (freenet.conf). You can edit this manually later if you need to, but generally you shouldn't change anything unless you know what you are doing. FIXME: And on MS? 3.3 Accessing Freenet via FProxy -------------------------------- You can look at some websites in Freenet by visiting http://localhost:8888/ in your web browser. You can also find interesting information about what your node is doing there. Please read the SECURITY CAUTIONS below BEFORE using a Web Browser with Freenet! SETTING UP A BROWSER FOR BEST PERFORMANCE ---Mozilla and Gecko Based Browsers (ie. Firefox): Many browsers limit the number of simultaneous connections to something far too low for efficiently browsing Freenet (since Freenet pages often have much higher latency than web pages). This can usually be reconfigured. For example, for Mozilla post-1.3, go to about:config, and change the following settings: network.http.max-connections 200 network.http.max-connections-per-server 100 network.http.max-persistent-connections-per-server 10 network.http.max-persistent-connections-per-proxy 50 For Mozilla prior to 1.3: create a file with the following contents called user.js in the directory with prefs.js, or append to an existing user.js: user_pref("network.http.max-connections", 200); user_pref("network.http.max-connections-per-server", 100); user_pref("network.http.max-persistent-connections-per-server", 10); user_pref("network.http.max-persistent-connections-per-proxy", 50); Note that these settings will cause mozilla to use more connections for all your browsing, which may not be desirable from a network congestion point of view; volunteers to make mozilla allow this sort of settings to be set per host would be welcome... ---Opera Browser Go to File/Preferences/Network - set 'Max connections to a server' to 20, 32 or 64, if you find you are getting 'could not connect to server' warnings adjust your setting one step down. - set 'Max total connections' to one setting higher than max connections, this will allow Freenet to use all connections available to it without interfering with web browsing ie. if Max to server is 32 then Max total should be 64. Note that these settings will cause Opera to use more connections for all your browsing, which may not be desirable from a network congestion point of view. SECURITY CAUTIONS ---Mozilla and other Gecko-based browsers (i.e., Netscape, Firefox and possibly Galeon and a few others): The following is VERY IMPORTANT: Mozilla has three features, GoBrowsing, Prefetching, and Safebrowsing, which may DESTROY YOUR ANONYMITY. GoBrowsing feeds failed queries into a search engine (Google seems to be the default), so when enter the URL of a freesite with a small typo, what you typed will be leaked to the internet. Prefetching loads pages in the background before you click on them. Malicious freesite authors may abuse this feature to find out who is reading their sites (sort of a web bug). Safebrowsing communicates with a so-called provider (once again, Google seems to be the default) to detect whether a web page was set up by phishers or other malicious entities. However, during this process details about the page contents may be transmitted to the provider. To deactivate these features, follow these instructions (instructions for older Mozilla type browsers below): Type "about:config" into the URL location box of your browser. You get a list of editable preferences. You must set these three pereferences to "false": * keyword.enabled * network.prefetch-next * browser.safebrowsing.enabled Follow these instructions for older Mozilla type browsers: If you can't find the configuration variables for Preloading and Safebrowsing (network.prefetch-next and browser.safebrowsing.enabled, respectively), these features are probably not supported by your browser and therefore do not pose a threat. But don't forget to switch them off once you update your browser. If you can't find the keyword.enabled configuration variable that's because it is named differently in older browsers. Set the following variable to false instead: * browser.goBrowsing.enabled Mozilla prior to 1.3 does not support in-browser configuration editing. Instead, create a file with the following contents called user.js in the same directory with prefs.js, or append to an existing user.js: user_pref("browser.goBrowsing.enabled", false); ---Microsoft Internet Explorer: Internet Explorer (all versions, we think) has a totally different ANONYMITY-DESTROYING BEHAVIOUR (not respecting MIME types), and also some problems with auto-detecting UTF16 even when we tell it in the headers to use some other charset). Internet Explorer is NOT recommended for anonymous browsing. ---Opera Browser: Opera's default behaviour is similar to Internet Explorer's and can compromise anonymity. Opera users MUST change the following setting to change this ANONYMITY-DESTROYING BEHAVIOUR: Go to File/Preferences/File types - Click on 'Determine action by MIME type ---All Browsers: It is possible that the anonymity filter can be circumvented by other means, so if you care about your anonymity while browsing Freenet: a) Don't use Internet Explorer and setup Opera properly, see above. b) Turn off javascript, java, active scripting, and any other scripting your browser supports. c) Set your browser to only load images, frames, etc from the server that originated the web page d) Be extra paranoid! Keep your browser up to date etc. Extreme measures include browser proxies that block everything except localhost:8888 HTTP, encrypted disk partitions or virtual disks, and so on. e) Set in your config file: mainport.params.servlet.1.params.filterParanoidStringCheck=true mainport.params.servlet.7.params.sfFilterParanoidStringCheck=true f) Consider using your operating system's security features to sandbox your Freenet browsing. For example, on Linux, you can (after setting httpInserts=false and fcpInserts=false in your freenet.conf) create a user specifically for browsing freenet, only use that user to browse freenet, and type the following lines to prevent that user from accessing the regular internet (assuming the safe user, which must not be the user running the node, is called "freenet"): # Accept TCP packets destined for local ports 8888 and 8481. iptables -A OUTPUT -d localhost -p tcp --dport 8888 -m owner --uid-owner freenet -j ACCEPT iptables -A OUTPUT -d localhost -p tcp --dport 8481 -m owner --uid-owner freenet -j ACCEPT # Drop everything else. iptables -A OUTPUT -m owner --uid-owner freenet -j DROP Your kernel must be configured with these options: CONFIG_IP_NF_IPTABLES CONFIG_IP_NF_MATCH_OWNER CONFIG_IP_NF_FILTER Verify that the filter rules have been added: $ iptables -L OUTPUT Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere localhost OWNER UID match freenet tcp dpt:8888 ACCEPT tcp -- anywhere localhost OWNER UID match freenet tcp dpt:8481 DROP all -- anywhere anywhere OWNER UID match freenet g) If you are accessing files that will get you into serious trouble, consider using something simpler than a web browser to access Freenet... or better yet, DON'T DO IT! This is still beta software, it probably has more bugs. Having said that, millions of people access questionable content through much less secure systems than Freenet. Use your common sense. You can't conceal the fact that you are running a freenet node from a determined attacker, because of the way Freenet works (path shortening - for more details visit our web site). However short of compromising your computer, other expensive forms of surveillance, you doing something stupid, or more bugs, it should be very difficult for them to find out _what_ you browse (or publish) on Freenet. What you want to prevent (in parts a,b,c) is freesites accessing the Real Internet, and giving away the combination of your IP address along and the fact that you visited a given freesite or downloaded (or uploaded) a specific file. This is called a Web Bug, and the simplest form is an image in a freesite loaded from somewhere on the real web - this gives away your IP address, and the page you are browsing (if the attacker is clever, or you have Referer: turned on), to the server the image is downloaded from. Fproxy (freenet's web interface) contains code ("the anonymity filter") to try to warn about or remove such things, but there could always be bugs in freenet or in your web browser that would let something through. You can of course reduce the likelihood of this by turning off images support in your browser. The following formats are known to be able to carry data that could compromise your anonymity (but there are no doubt many more that can do this): * RealPlayer * Windows Media Player * MP3s (some id3 tags cause winamp to open web sites and thus compromise your anonymity). * HTML and CSS, of course, hence the filter. Finally, you should disable your browser cache AND set the option mainport.params.servlet.1.params.noCache=true in your config file (to tell freenet to send no-cache directives to the browser). FILTER ISSUES FOR CONTENT AUTHORS --------------------------------- Things to bear in mind when inserting HTML content/freesites: * The new filter is VERY fussy about quote marks. Something like: <img src="something.png" width="95" height="32" alt="grey cat" align="left" "hspace="5"> or <IMG SRC="../../../Blah/2//issue.png"" ALT="Issue 2" WIDTH=95 HEIGHT=32> will confuse it... this is partly because the HTML 4.01 spec seems to imply that <> characters are allowed in strings inside tags. This should not be a problem using GUI tools; it is however a problem if you write the HTML directly. * Charsets. If you want to insert a file with a charset other than the default iso-8859-1, tell your insertion tool to use the new charset in the mime type, for example "text/html;charset=UTF16". The META tag to set the mime type is NOT supported. Neither is the UTF16 byte order mark. * All unrecognized HTML tags are removed by fproxy, for security reasons. JVM ISSUES ---------- FIXME: This information is probably out of date. There are issues with lots of JVMs. * RedHat 9.0 and other distributions having Native Posix Threads are _very_ unstable. That's why the startup script has been modified to disable NPTL on Redhat; if you are using different distribution and you know or suspect that it is with NPTL, try seting LD_ASSUME_KERNEL=2.2.5. If this causes Freenet to fail to load with a library error, try 2.4.1, but 2.4.1 will not work with the 1.4.2 JRE at the time of writing. Hence, Gentoo requires the JRE to be Sun 1.4.1, not 1.4.2. :< * Beta versions of Sun 1.4 don't work; 1.4.1r01 seems to work OK; 1.4.0 won't work due to significant changes to NIO made between 1.4.0 and 1.4.1 * Even under the Sun JVM, we have numerous reports of the -server VM causing wierd crashes. It has therefore been disabled in start-freenet.sh. * Sun-derived JDKs (Sun, Blackdown, IBM etc) prior to 1.4 do not work. * There are reports of exceptions on Blackdown that don't occur on Sun. * Kaffe 1.0.6 and prior do not work at all. * Kaffe 1.1 (possibly from CVS) will probably work, although it has a few issues: * Automatic detection of IP addresses is only done once at startup, so if your IP address changes often, you will need to restart your node often. * Mysteriously long delays acquiring locks and in other parts of the code that can make the node think it is overloaded. * If you use Kaffe to run it, and you are not just using the provided JARs, which _will_ work with Kaffe, you need a compiler. Jikes 1.14 works. Jikes 1.15 and 1.16 at least don't work. Recent Jikes 1.18 CVS seems to work. * If you run on MacOS/X, there is a default file descriptor limit of 256. So Freenet uses a default connection limit of 128 if OS/X is detected, as it uses fds for many things other than connections). You will probably be able to raise the limit with the command ulimit -n 1024, and then set maxNodeConnections=512 explicitly in the config file. Most other unix(tm) derived systems have a default limit of 1024, so they are ok for the default configuration. For a large node, you may want to increase this value as well, however. TWEAKING -------- 1. How To Speed Up Large Splitfiles ----------------------------------- FIXME: This is done automatically on at least some architectures, is it not? You can speed up splitfiles (FEC encoded splitfiles, the default), by using native compiled FEC libraries. Details are at this URL: http://freenet.googlecode.com/svn/branches/legacy/contrib/fecimpl/onion/README (that is fecimpl/onion/README in the freenet contrib SVN module). The info on Native FEC support on the Nubile freesite (edition 11) is completly obsolete. The zip file that the readme refers to is in SVN (in the contrib module, *not* the main freenet module). You can access it on the web here: http://freenet.googlecode.com/svn/branches/legacy/contrib/fecimpl/onion/alien/fec-1.0.3.zip (Do a "Save link as..." on the "(download)" link from your browser.) I didn't deploy native FEC support by default because I didn't want to deal with the per platform configuration issues. The instructions in the file given above are geared toward people who already know about JNI libraries. If someone out there wants to write per platform (*nix, Windows) end user install doc, suitable for inclusion in the generic Freenet README, that would be a valuable contribution to the project. -- gj 4. Attributions ---------------- Special thanks to Justin Chapweske and Onion Networks (www.onionnetworks.com) for making their Java Forward Error Correction (FEC) library available under an open license. Here's the text of the Onion license that is embedded in freenet-ext.jar with the FEC plugin implementation: /* * Java Forward Error Correction Library * Copyright (C) 2001 Onion Networks * Copyright (C) 2000 OpenCola * * Portions derived from code by Luigi Rizzo: * fec.c -- forward error correction based on Vandermonde matrices * 980624 * (C) 1997-98 Luigi Rizzo (luigi@iet.unipi.it) * * Portions derived from code by Phil Karn (karn@ka9q.ampr.org), * Robert Morelos-Zaragoza (robert@spectra.eng.hawaii.edu) and Hari * Thirumoorthy (harit@spectra.eng.hawaii.edu), Aug 1995 * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials * provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR * TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY * OF SUCH DAMAGE. */