FORUMS
Remove All Ads from XDA

Any help rooting or unlocking bootloader on the incredibly unpopular Blu Life One X3?

11 posts
Thanks Meter: 0
 
By Xiione, Junior Member on 6th July 2018, 04:59 AM
Post Reply Email Thread
16th May 2019, 08:38 AM |#81  
Member
Thanks Meter: 9
 
More
I have 4 AFWall+ firewall profiles:
Default: Just loads the IPTables that came with AFWall+. I use this for troubleshooting connections when the other profiles don't work for some reason (usually because I've messed up the script).

Basic: Basic communications, blocks all of Google (except for 8.8.8.8, which is needed at the moment for Nebulo DNS-over-HTTPS / DNS-over-TLS functionality, since Nebulo sets its dummy IP address to 8.8.8.8). This is the profile I use most.

Google: Basic communications and allows Google. I use this on the rare occasion when I check Google Play Store for updates. Usually I use G-Droid.

Lockdown: All packets incoming and outgoing are dropped. I use this to catch connection attempts without transiting any data.

NOTE: Do remember that you have to save these files with Unix line-ending, so Notepad isn't going to work. I use TextPad.

My firewall rules, bluwall_basic.sh:
Code:
# This file is placed in /data/local/ as bluwall_basic.sh
# In AFWall+, under 'Set custom script', enter: . /data/local/bluwall_basic.sh

# NECESSARY AT THE TOP OF EACH SCRIPT!
IP6=/system/bin/ip6tables
IP4=/system/bin/iptables

# NOTE: NEVER FLUSH THE OUTPUT CHAIN, USE "afwall" AS THE OUTPUT CHAIN INSTEAD

# Flush/Purge all rules except OUTPUT
$IP4 -w -F INPUT
$IP4 -w -F FORWARD
$IP4 -t nat -F
$IP4 -t mangle -F
$IP6 -w -F INPUT
$IP6 -w -F FORWARD
$IP6 -t mangle -F

# Default end-of-chain policy
$IP4 -P INPUT DROP
$IP4 -P FORWARD DROP
$IP4 -P OUTPUT DROP
$IP6 -P INPUT DROP
$IP6 -P FORWARD DROP
$IP6 -P OUTPUT DROP

# Block incoming ICMP Echo (PING) requests
$IP4 -A INPUT -p icmp --icmp-type 8 -j DROP
$IP6 -A INPUT -p icmpv6 --icmpv6-type 128 -j DROP

# Drop Multicast addresses 
$IP4 -A INPUT -s 224.0.0.0/4 -j DROP
$IP4 -A INPUT -d 224.0.0.0/4 -j DROP
$IP4 -A INPUT -s 240.0.0.0/5 -j DROP
$IP4 -A INPUT -d 240.0.0.0/5 -j DROP
$IP4 -A INPUT -s 0.0.0.0/8 -j DROP
$IP4 -A INPUT -d 0.0.0.0/8 -j DROP
$IP4 -A INPUT -d 239.255.255.0/24 -j DROP
$IP4 -A INPUT -d 255.255.255.255 -j DROP

# FIN ACK / RST ACK LEAK FIX:
$IP4 -A OUTPUT -m conntrack --ctstate INVALID -j DROP
$IP4 -A OUTPUT -m state --state INVALID -j DROP

# Allow loopback communication (necessary on IPv6)
$IP6 -I INPUT -i lo -j ACCEPT
$IP6 -I OUTPUT -o lo -j ACCEPT

# Block all IPv6 via IPv4 communication (for native IPv6 connections only)
# This must be done in the IPv4 table
$IP4 -A INPUT -p 41 -j DROP
$IP4 -A FORWARD -p 41 -j DROP

# Google connectivity check
# ---------------
$IP4 -A INPUT -m string --string "connectivitycheck.gstatic.com" --algo kmp -j REJECT
$IP4 -A "afwall" -m string --string "connectivitycheck.gstatic.com" --algo kmp -j REJECT

$IP6 -A INPUT -m string --string "connectivitycheck.gstatic.com" --algo kmp -j REJECT
$IP6 -A "afwall" -m string --string "connectivitycheck.gstatic.com" --algo kmp -j REJECT
# ---------------

# ******** DO NOT CHANGE ANYTHING ABOVE THIS LINE ********

#PODCAST CARVE-OUT
# Find the UID of your podcast app, and put it behind --uid-owner
# It's injected (-I) at the top of the INPUT and afwall iptables for IPv4 and IPv6.
# ---------------
# Podcast Addict
$IP4 -I INPUT -m owner --uid-owner 10022 -j ACCEPT
$IP4 -I "afwall" -m owner --uid-owner 10022 -j ACCEPT
$IP6 -I INPUT -m owner --uid-owner 10022 -j ACCEPT
$IP6 -I "afwall" -m owner --uid-owner 10022 -j ACCEPT
# ---------------

# THE ENTRIES BELOW SHOULD BE THE SAME IN BLUWALL_DEFAULT.SH AND BLUWALL_LOCKDOWN.SH

# Google
# ---------------
# 8.8.4.4 DNS SERVER
$IP4 -A INPUT -s 8.8.4.4/32 -j REJECT
$IP4 -A "afwall" -d 8.8.4.4/32 -j REJECT

# 8.8.8.8 DNS SERVER
# COMMENTED OUT FOR NEBULO FUNCTIONALITY
#$IP4 -A INPUT -s 8.8.8.8/32 -j REJECT
#$IP4 -A "afwall" -d 8.8.8.8/32 -j REJECT

# 35.184.0.0 - 35.191.255.255
$IP4 -A INPUT -s 35.184.0.0/13 -j REJECT
$IP4 -A "afwall" -d 35.184.0.0/13 -j REJECT

# 64.233.160.0 - 64.233.191.255
$IP4 -A INPUT -s 64.233.160.0/19 -j REJECT
$IP4 -A "afwall" -d 64.233.160.0/19 -j REJECT

# 66.102.0.0 - 66.102.15.255
$IP4 -A INPUT -s 66.102.0.0/20 -j REJECT
$IP4 -A "afwall" -d 66.102.0.0/20 -j REJECT

# 66.249.80.0 - 66.249.95.255
$IP4 -A INPUT -s 66.249.80.0/20 -j REJECT
$IP4 -A "afwall" -d 66.249.80.0/20 -j REJECT

# 72.14.192.0 - 72.14.255.255
$IP4 -A INPUT -s 72.14.192.0/18 -j REJECT
$IP4 -A "afwall" -d 72.14.192.0/18 -j REJECT

# 74.125.0.0 - 74.125.255.255
$IP4 -A INPUT -s 74.125.0.0/16 -j REJECT
$IP4 -A "afwall" -d 74.125.0.0/16 -j REJECT

# 108.177.8.0 - 108.177.15.255
$IP4 -A INPUT -s 108.177.8.0/21 -j REJECT
$IP4 -A "afwall" -d 108.177.8.0/21 -j REJECT

# 108.177.96.0 - 108.177.127.255
$IP4 -A INPUT -s 108.177.96.0/19 -j REJECT
$IP4 -A "afwall" -d 108.177.96.0/19 -j REJECT

# 130.211.0.0 - 130.211.3.255
$IP4 -A INPUT -s 130.211.0.0/22 -j REJECT
$IP4 -A "afwall" -d 130.211.0.0/22 -j REJECT

# 172.217.0.0 - 172.217.31.255
$IP4 -A INPUT -s 172.217.0.0/19 -j REJECT
$IP4 -A "afwall" -d 172.217.0.0/19 -j REJECT

# 172.217.32.0 - 172.217.47.255
$IP4 -A INPUT -s 172.217.32.0/20 -j REJECT
$IP4 -A "afwall" -d 172.217.32.0/20 -j REJECT

# 172.217.128.0 - 172.217.159.255
$IP4 -A INPUT -s 172.217.128.0/19 -j REJECT
$IP4 -A "afwall" -d 172.217.128.0/19 -j REJECT

# 172.217.160.0 - 172.217.175.255
$IP4 -A INPUT -s 172.217.160.0/20 -j REJECT
$IP4 -A "afwall" -d 172.217.160.0/20 -j REJECT

# 172.217.192.0 - 172.217.223.255
$IP4 -A INPUT -s 172.217.192.0/19 -j REJECT
$IP4 -A "afwall" -d 172.217.192.0/19 -j REJECT

# 173.194.0.0 - 173.194.255.255
$IP4 -A INPUT -s 173.194.0.0/16 -j REJECT
$IP4 -A "afwall" -d 173.194.0.0/16 -j REJECT

# 209.85.128.0 - 209.85.255.255
$IP4 -A INPUT -s 209.85.128.0/17 -j REJECT
$IP4 -A "afwall" -d 209.85.128.0/17 -j REJECT

# 216.58.192.0 - 216.58.223.255
$IP4 -A INPUT -s 216.58.192.0/19 -j REJECT
$IP4 -A "afwall" -d 216.58.192.0/19 -j REJECT

# 216.239.32.0 - 216.239.63.255
$IP4 -A INPUT -s 216.239.32.0/19 -j REJECT
$IP4 -A "afwall" -d 216.239.32.0/19 -j REJECT

# 2001:4860:4000::/36
$IP6 -A INPUT -s 2001:4860:4000::/36 -j REJECT
$IP6 -A "afwall" -d 2001:4860:4000::/36 -j REJECT

# 2404:6800:4000::/36
$IP6 -A INPUT -s 2404:6800:4000::/36 -j REJECT
$IP6 -A "afwall" -d 2404:6800:4000::/36 -j REJECT

# 2607:f8b0:4000::/36
$IP6 -A INPUT -s 2607:f8b0:4000::/36 -j REJECT
$IP6 -A "afwall" -d 2607:f8b0:4000::/36 -j REJECT

# 2800:3f0:4000::/36
$IP6 -A INPUT -s 2800:3f0:4000::/36 -j REJECT
$IP6 -A "afwall" -d 2800:3f0:4000::/36 -j REJECT

# 2a00:1450:4000::/36
$IP6 -A INPUT -s 2a00:1450:4000::/36 -j REJECT
$IP6 -A "afwall" -d 2a00:1450:4000::/36 -j REJECT

# 2c0f:fb50:4000::/36
$IP6 -A INPUT -s 2c0f:fb50:4000::/36 -j REJECT
$IP6 -A "afwall" -d 2c0f:fb50:4000::/36 -j REJECT
# ---------------


My firewall rules, bluwall_google.sh:
Code:
# This file is placed in /data/local/ as bluwall_google.sh
# In AFWall+, under 'Set custom script', enter: . /data/local/bluwall_google.sh

# NECESSARY AT THE TOP OF EACH SCRIPT!
IP6=/system/bin/ip6tables
IP4=/system/bin/iptables

# NOTE: NEVER FLUSH THE OUTPUT CHAIN, USE "afwall" AS THE OUTPUT CHAIN INSTEAD

# Flush/Purge all rules except OUTPUT
$IP4 -w -F INPUT
$IP4 -w -F FORWARD
$IP4 -w -t nat -F
$IP4 -w -t mangle -F
$IP6 -w -F INPUT
$IP6 -w -F FORWARD
$IP6 -w -t mangle -F

# Default end-of-chain policy
$IP4 -P INPUT DROP
$IP4 -P FORWARD DROP
$IP4 -P OUTPUT DROP
$IP6 -P INPUT DROP
$IP6 -P FORWARD DROP
$IP6 -P OUTPUT DROP

# Block incoming ICMP Echo (PING) requests
$IP4 -A INPUT -p icmp --icmp-type 8 -j DROP
$IP6 -A INPUT -p icmpv6 --icmpv6-type 128 -j DROP

# Drop Multicast addresses 
$IP4 -A INPUT -s 224.0.0.0/4 -j DROP
$IP4 -A INPUT -d 224.0.0.0/4 -j DROP
$IP4 -A INPUT -s 240.0.0.0/5 -j DROP
$IP4 -A INPUT -d 240.0.0.0/5 -j DROP
$IP4 -A INPUT -s 0.0.0.0/8 -j DROP
$IP4 -A INPUT -d 0.0.0.0/8 -j DROP
$IP4 -A INPUT -d 239.255.255.0/24 -j DROP
$IP4 -A INPUT -d 255.255.255.255 -j DROP

# FIN ACK / RST ACK LEAK FIX:
$IP4 -A OUTPUT -m conntrack --ctstate INVALID -j DROP
$IP4 -A OUTPUT -m state --state INVALID -j DROP

# Allow loopback communication (necessary on IPv6)
$IP6 -I INPUT -i lo -j ACCEPT
$IP6 -I OUTPUT -o lo -j ACCEPT

# Block all IPv6 via IPv4 communication (for native IPv6 connections only)
# This must be done in the IPv4 table
$IP4 -A INPUT -p 41 -j DROP
$IP4 -A FORWARD -p 41 -j DROP


My firewall rules, bluwall_lockdown.sh:
Code:
# This file is placed in /data/local/ as bluwall_lockdown.sh
# In AFWall+, under 'Set custom script', enter: . /data/local/bluwall_lockdown.sh

# NECESSARY AT THE TOP OF EACH SCRIPT!
IP6=/system/bin/ip6tables
IP4=/system/bin/iptables

# NOTE: NEVER FLUSH THE OUTPUT CHAIN, USE "afwall" AS THE OUTPUT CHAIN INSTEAD

# Flush/Purge all rules except OUTPUT
$IP4 -w -F INPUT
$IP4 -w -F FORWARD
$IP4 -w -t nat -F
$IP4 -w -t mangle -F
$IP6 -w -F INPUT
$IP6 -w -F FORWARD
$IP6 -w -t mangle -F

# Default end-of-chain policy
$IP4 -P INPUT DROP
$IP4 -P FORWARD DROP
$IP4 -P OUTPUT DROP
$IP6 -P INPUT DROP
$IP6 -P FORWARD DROP
$IP6 -P OUTPUT DROP

# Block incoming ICMP Echo (PING) requests
$IP4 -A INPUT -p icmp --icmp-type 8 -j DROP
$IP6 -A INPUT -p icmpv6 --icmpv6-type 128 -j DROP

# Drop Multicast addresses 
$IP4 -A INPUT -s 224.0.0.0/4 -j DROP
$IP4 -A INPUT -d 224.0.0.0/4 -j DROP
$IP4 -A INPUT -s 240.0.0.0/5 -j DROP
$IP4 -A INPUT -d 240.0.0.0/5 -j DROP
$IP4 -A INPUT -s 0.0.0.0/8 -j DROP
$IP4 -A INPUT -d 0.0.0.0/8 -j DROP
$IP4 -A INPUT -d 239.255.255.0/24 -j DROP
$IP4 -A INPUT -d 255.255.255.255 -j DROP

# FIN ACK / RST ACK LEAK FIX:
$IP4 -A OUTPUT -m conntrack --ctstate INVALID -j DROP
$IP4 -A OUTPUT -m state --state INVALID -j DROP

# Allow loopback communication (necessary on IPv6)
$IP6 -I INPUT -i lo -j ACCEPT
$IP6 -I OUTPUT -o lo -j ACCEPT

# Block all IPv6 via IPv4 communication (for native IPv6 connections only)
# This must be done in the IPv4 table
$IP4 -A INPUT -p 41 -j DROP
$IP4 -A FORWARD -p 41 -j DROP

# DROP everything
# ---------------
$IP4 -I INPUT DROP
$IP4 -I FORWARD DROP
$IP4 -I OUTPUT DROP

$IP6 -I INPUT DROP
$IP6 -I FORWARD DROP
$IP6 -I OUTPUT DROP
# ---------------
 
 
17th May 2019, 04:44 AM |#82  
Member
Thanks Meter: 9
 
More
Here's my hosts file, which is used exclusively for blocking ads. The script below pushes it to the phone with the resolv.conf file, bluwall_basic.sh, bluwall_google.sh, bluwall_lockdown.sh and bluwall_ads.sh.

This file must be saved with Unix line-ending, so Notepad isn't going to work. I use TextPad.

What I do is to enable Query Logging in Nebulo, which records each attempt at resolving a domain. Then I export the list to a .csv file to /sdcard, pull it to the computer, and edit the entries via TextPad and LibreOffice Calc to delete duplicates and format everything properly. Once you've got the pattern for formatting it down, it only takes about 15 minutes to do.

Code:
127.0.0.1 localhost
::1       ip6-localhost

127.0.0.1 a.algovid.com
::1       a.algovid.com
127.0.0.1 a.imprvdosrv.com
::1       a.imprvdosrv.com
127.0.0.1 a.vertamedia.com
::1       a.vertamedia.com
127.0.0.1 aax-us-east.amazon-adsystem.com
::1       aax-us-east.amazon-adsystem.com
127.0.0.1 ad.360yield.com
::1       ad.360yield.com
127.0.0.1 ads.adelement.com
::1       ads.adelement.com
127.0.0.1 ads.contextweb.com
::1       ads.contextweb.com
127.0.0.1 ads.mopub.com
::1       ads.mopub.com
127.0.0.1 ads.smrtbid.com
::1       ads.smrtbid.com
127.0.0.1 ads12.vertamedia.com
::1       ads12.vertamedia.com
127.0.0.1 ads16.vertamedia.com
::1       ads16.vertamedia.com
127.0.0.1 ads42.vertamedia.com
::1       ads42.vertamedia.com
127.0.0.1 amplitude.com
::1       amplitude.com
127.0.0.1 auction.beardfleet.com
::1       auction.beardfleet.com
127.0.0.1 aux-log.adtelligent.com
::1       aux-log.adtelligent.com
127.0.0.1 aux-log1-sh.vertamedia.com
::1       aux-log1-sh.vertamedia.com
127.0.0.1 aux-log2-sh.vertamedia.com
::1       aux-log2-sh.vertamedia.com
127.0.0.1 bh.contextweb.com
::1       bh.contextweb.com
127.0.0.1 bugly.qq.com
::1       bugly.qq.com
127.0.0.1 c.algovid.com
::1       c.algovid.com
127.0.0.1 c:versvideo.com
::1       c.versvideo.com
127.0.0.1 cdn.simplecast.com
::1       cdn.simplecast.com
127.0.0.1 cdn1-27403626.algovid.tv
::1       cdn1-27403626.algovid.tv
127.0.0.1 cm.g.doubleclick.net
::1       cm.g.doubleclick.net
127.0.0.1 crashlytics.com
::1       crashlytics.com
127.0.0.1 doubleclick.net
::1       doubleclick.net
127.0.0.1 e.algovid.com
::1       e.algovid.com
127.0.0.1 e.crashlytics.com
::1       e.crashlytics.com
127.0.0.1 elroycdn.twit.tv
::1       elroycdn.twit.tv
127.0.0.1 events.streamrail.net
::1       events.streamrail.net
127.0.0.1 evtvpaid.bfmio.com
::1       evtvpaid.bfmio.com
127.0.0.1 googleads.g.doubleclick.net
::1       googleads.g.doubleclick.net
127.0.0.1 google-analytics.com
::1       google-analytics.com
127.0.0.1 gov.aniview.com
::1       gov.aniview.com
127.0.0.1 ice.360yield.com
::1       ice.360yield.com
127.0.0.1 images.ted.com
::1       images.ted.com
127.0.0.1 ioms.bfmio.com
::1       ioms.bfmio.com
127.0.0.1 k.streamrail.com
::1       k.streamrail.com
127.0.0.1 mixpanel.com
::1       mixpanel.com
127.0.0.1 mobile-static.adsafeprotected.com
::1       mobile-static.adsafeprotected.com
127.0.0.1 mobimight-inv-eu.admixer.net
::1       mobimight-inv-eu.admixer.net
127.0.0.1 mopub.com
::1       mopub.com
127.0.0.1 my.mobfox.com
::1       my.mobfox.com
127.0.0.1 openrtb.cootlogix.com
::1       openrtb.cootlogix.com
127.0.0.1 optimized-by.rubiconproject.com
::1       optimized-by.rubiconproject.com
127.0.0.1 p.imprvdosrv.com
::1       p.imprvdosrv.com
127.0.0.1 pe.intentiq.com
::1       pe.intentiq.com
127.0.0.1 pe1.intentiq.com
::1       pe1.intentiq.com
127.0.0.1 player.aniview.com
::1       player.aniview.com
127.0.0.1 presentation-atl1.turn.com
::1       presentation-atl1.turn.com
127.0.0.1 reports.crashlytics.com
::1       reports.crashlytics.com
127.0.0.1 s-80.imprvdosrv.com
::1       s-80.imprvdosrv.com
127.0.0.1 s-98.versvideo.com
::1       s-98.versvideo.com
127.0.0.1 s.adtelligent.com
::1       s.adtelligent.com
127.0.0.1 s.vertamedia.com
::1       s.vertamedia.com
127.0.0.1 serve.vdopia.com
::1       serve.vdopia.com
127.0.0.1 serverc.shoofle.tv
::1       serverc.shoofle.tv
127.0.0.1 settings.crashlytics.com
::1       settings.crashlytics.com
127.0.0.1 ssl-static.libsyn.com
::1       ssl-static.libsyn.com
127.0.0.1 ssp.lkqd.net
::1       ssp.lkqd.net
127.0.0.1 ssp.streamrail.net
::1       ssp.streamrail.net
127.0.0.1 static.giantbomb.com
::1       static.giantbomb.com
127.0.0.1 track1.aniview.com
::1       track1.aniview.com
127.0.0.1 uswest.bfmio.com
::1       uswest.bfmio.com
127.0.0.1 v-45.algovid.com
::1       v-45.algovid.com
127.0.0.1 v.algovid.com
::1       v.algovid.com
127.0.0.1 v.lkqd.net
::1       v.lkqd.net
127.0.0.1 vast.aniview.com
::1       vast.aniview.com
127.0.0.1 vast.vid46.com
::1       vast.vid46.com
127.0.0.1 vast.wolseri.com
::1       vast.wolseri.com
127.0.0.1 vd.vidoplay.com
::1       vd.vidoplay.com
127.0.0.1 vid.pubmatic.com
::1       vid.pubmatic.com
127.0.0.1 vid.springserve.com
::1       vid.springserve.com
127.0.0.1 vpaid.junnya.com
::1       vpaid.junnya.com
127.0.0.1 vpaid.mars.video
::1       vpaid.mars.video
127.0.0.1 vpaid.pupremium.com
::1       vpaid.pupremium.com
127.0.0.1 vpaid.springserve.net
::1       vpaid.springserve.net
127.0.0.1 www.intouch.org
::1       www.intouch.org
127.0.0.1 z.moatads.com
::1       z.moatads.com
17th May 2019, 06:35 AM |#83  
Member
Thanks Meter: 9
 
More
Pro-tip: If you're running Nebulo, the DNS-over-HTTPS / DNS-over-TLS app, remember that it's still in beta, so there'll be bugs.

One bug I uncovered is that sometimes the app 'forgets' which apps its supposed to do DNS resolution for, apparently. Going into the Settings to the app list and pressing 'Ok' (even if you haven't made any changes), gets it working again. Bug report is already in.

{UPDATE}
Nebulo isn't quite ready for prime-time yet... it's sending seemingly random jibberish DNS requests and not resolving legitimate DNS requests. It'll get there, don't worry.... but if you're not willing to submit bug reports, wait a bit.
{/UPDATE}

{UPDATE 2}
Ah, those random jibberish DNS requests are generated by Brave Browser (all Chromium browsers, in fact) as means of testing connectivity and DNS hijacking.
{/UPDATE2}

But do keep in mind that this is a very important app... it encrypts your DNS requests and sends them over HTTPS, so you can't get a man-in-the-middle attack, whoever is providing your network connection can't watch everything you do, etc.

So if you can, use it and submit bug reports.
Yesterday, 01:44 AM |#84  
Member
Thanks Meter: 9
 
More
Pro-tip: If you've used your HOSTS file to block advertising servers, you've also likely noticed that (on this phone, at least) the /system/etc/hosts file keeps getting overwritten and set back to just 127.0.0.1 localhost and ::1 ip6-localhost.

Frustrating, but fixable. Push your hosts file from your computer to both:
adb push c:\test\bluwall\hosts /data/adb/modules/hosts/system/etc/hosts
adb push c:\test\bluwall\hosts /system/etc/hosts

That first one is where the real hosts file is saved, and it overwrites the second one. So to make your changes stick, push to both of them. I do so via the script in the next post.
Yesterday, 03:06 AM |#85  
Member
Thanks Meter: 9
 
More
Firewall rules are stored on my computer in c:\test\bluwall\

My update.bat script to update the firewall rules (bluwall_basic.sh, bluwall_google.sh, bluwall_lockdown.sh, bluwall_ads.sh), the resolv.conf file, and the hosts file:
Code:
@cls
@CHOICE /C YN /M "Reboot the phone to Recovery Mode?"
@IF %ERRORLEVEL% EQU 1 goto dorebootrec
@IF %ERRORLEVEL% EQU 2 goto docontinue
:dorebootrec
@adb reboot recovery
:docontinue
@cls
@ECHO In TWRP, mount the system partition, then
@pause
@cls
@ECHO Updating DNS servers in resolv.conf
@adb push c:\test\bluwall\resolv.conf /system/etc/resolv.conf
@timeout /T 5 /NOBREAK
@cls
@ECHO Updating HOSTS file
@adb push c:\test\bluwall\hosts /system/etc/hosts
@timeout /T 5 /NOBREAK
@adb push c:\test\bluwall\hosts /data/adb/modules/hosts/system/etc/hosts
@timeout /T 5 /NOBREAK
@cls
@ECHO Updating bluwall_basic.sh
@adb push c:\test\bluwall\bluwall_basic.sh /data/local/bluwall_basic.sh
@timeout /T 5 /NOBREAK
@cls
@ECHO Updating bluwall_google.sh
@adb push c:\test\bluwall\bluwall_google.sh /data/local/bluwall_google.sh
@timeout /T 5 /NOBREAK
@cls
@ECHO Updating bluwall_lockdown.sh
@adb push c:\test\bluwall\bluwall_lockdown.sh /data/local/bluwall_lockdown.sh
@timeout /T 5 /NOBREAK
@cls
@ECHO Updating bluwall_ads.sh
@adb push c:\test\bluwall\bluwall_ads.sh /data/local/bluwall_ads.sh
@timeout /T 5 /NOBREAK
@cls
@CHOICE /C YN /M "System files update complete. Reboot the phone?"
@IF %ERRORLEVEL% EQU 1 goto dorebootsys
@IF %ERRORLEVEL% EQU 2 goto doend
:dorebootsys
@adb reboot
:doend
@cls
@ECHO Killing ADB
@timeout /T 5 /NOBREAK
@taskkill.exe /IM adb.exe /F
@cls
Yesterday, 04:09 AM |#86  
Member
Thanks Meter: 9
 
More
The following file must be saved with Unix line-ending. So Notepad isn't going to work. I use TextPad.

My firewall rules, bluwall_ads.sh:
Code:
# This file is placed in /data/local/ as bluwall_ads.sh
# In AFWall+, under 'Set custom script', enter: . /data/local/bluwall_ads.sh
# Put this after the import of bluwall_basic.sh for Basic profile,
# and after the import of bluwall_google.sh for Google profile.
#
# Use:
# adb logcat -c
# adb logcat -D -v long > c:\test\logcat.log
# to log what the phone is doing.
#
# Use:
# https://www.countryipblocks.net/search_ip.php?search_ip=54.225.152.226&search_ip_result=
# to get the CIDR (ie: 54.224.0.0/12) and IP address range (ie: 54.224.0.0 - 54.239.255.255)
# from each IP address in your logcat log.

# NECESSARY AT THE TOP OF EACH SCRIPT!
IP6=/system/bin/ip6tables
IP4=/system/bin/iptables

# Amazon ads
# ---------------
# 3.128.0.0 - 3.255.255.255
$IP4 -A INPUT -s 3.128.0.0/9 -j REJECT
$IP4 -A "afwall" -d 3.128.0.0/9 -j REJECT

# 18.128.0.0 - 18.255.255.255
$IP4 -A INPUT -s 18.128.0.0/9 -j REJECT
$IP4 -A "afwall" -d 18.128.0.0/9 -j REJECT

# 34.192.0.0 - 34.223.255.255
$IP4 -A INPUT -s 34.192.0.0/11 -j REJECT
$IP4 -A "afwall" -d 34.192.0.0/11 -j REJECT

# 52.0.0.0 - 52.31.255.255
$IP4 -A INPUT -s 52.0.0.0/11 -j REJECT
$IP4 -A "afwall" -d 52.0.0.0/11 -j REJECT

# 52.32.0.0 - 52.63.255.255
$IP4 -A INPUT -s 52.32.0.0/11 -j REJECT
$IP4 -A "afwall" -d 52.32.0.0/11 -j REJECT

# 52.72.0.0 - 52.75.255.255
$IP4 -A INPUT -s 52.72.0.0/14 -j REJECT
$IP4 -A "afwall" -d 52.72.0.0/14 -j REJECT

# 52.88.0.0 - 52.95.255.25
$IP4 -A INPUT -s 52.88.0.0/13 -j REJECT
$IP4 -A "afwall" -d 52.88.0.0/13 -j REJECT

# 52.192.0.0 - 52.223.255.255
$IP4 -A INPUT -s 52.192.0.0/11 -j REJECT
$IP4 -A "afwall" -d 52.192.0.0/11 -j REJECT

# 54.64.0.0 - 54.71.255.255
$IP4 -A INPUT -s 54.64.0.0/13 -j REJECT
$IP4 -A "afwall" -d 54.64.0.0/13 -j REJECT

# 54.88.0.0 - 54.88.255.255
$IP4 -A INPUT -s 54.88.0.0/16 -j REJECT
$IP4 -A "afwall" -d 54.88.0.0/16 -j REJECT

# 72.21.192.0 - 72.21.223.255
$IP4 -A INPUT -s 72.21.192.0/19 -j REJECT
$IP4 -A "afwall" -d 72.21.192.0/19 -j REJECT
# ---------------

# crashlytics.com tracking
# ---------------
# 23.20.0.0 - 23.23.255.255
$IP4 -A INPUT -s 23.20.0.0/14 -j REJECT
$IP4 -A "afwall" -d 23.20.0.0/14 -j REJECT

# 50.16.0.0 - 50.19.255.255
$IP4 -A INPUT -s 50.16.0.0/14 -j REJECT
$IP4 -A "afwall" -d 50.16.0.0/14 -j REJECT

# 54.192.0.0 - 54.207.255.255
$IP4 -A INPUT -s 54.192.0.0/12 -j REJECT
$IP4 -A "afwall" -d 54.192.0.0/12 -j REJECT

# 54.220.0.0 - 54.221.255.255
$IP4 -A INPUT -s 54.220.0.0/15 -j REJECT
$IP4 -A "afwall" -d 54.220.0.0/15 -j REJECT

# 54.224.0.0 - 54.239.255.255
$IP4 -A INPUT -s 54.224.0.0/12 -j REJECT
$IP4 -A "afwall" -d 54.224.0.0/12 -j REJECT

# 54.240.0.0 - 54.255.255.255
$IP4 -A INPUT -s 54.240.0.0/12 -j REJECT
$IP4 -A "afwall" -d 54.240.0.0/12 -j REJECT

# 107.20.0.0 - 107.23.255.255
$IP4 -A INPUT -s 107.20.0.0/14 -j REJECT
$IP4 -A "afwall" -d 107.20.0.0/14 -j REJECT

# 174.129.0.0 - 174.129.255.255
$IP4 -A INPUT -s 174.129.0.0/16 -j REJECT
$IP4 -A "afwall" -d 174.129.0.0/16 -j REJECT

# 184.72.0.0 - 184.73.255.255
$IP4 -A INPUT -s 184.72.0.0/15 -j REJECT
$IP4 -A "afwall" -d 184.72.0.0/15 -j REJECT

# 204.236.128.0 - 204.236.255.255
$IP4 -A INPUT -s 204.236.128.0/17 -j REJECT
$IP4 -A "afwall" -d 204.236.128.0/17 -j REJECT
# ---------------

# CrownPeak / Evidon
# ---------------
# 23.0.0.0 - 23.15.255.255
$IP4 -A INPUT -s 23.0.0.0/12 -j REJECT
$IP4 -A "afwall" -d 23.0.0.0/12 -j REJECT
# ---------------

# doubleverify.com
# ---------------
# 204.154.110.0 - 204.154.111.255
$IP4 -A INPUT -s 204.154.110.0/23 -j REJECT
$IP4 -A "afwall" -d 204.154.110.0/23 -j REJECT
# ---------------

# exelator.com / Nielsen
# ---------------
# 147.75.0.0 - 147.75.127.255
$IP4 -A INPUT -s 147.75.0.0/17 -j REJECT
$IP4 -A "afwall" -d 147.75.0.0/17 -j REJECT
# ---------------

# imprvdosrv.com
# ---------------
# 207.244.64.0 - 207.244.127.255
$IP4 -A INPUT -s 207.244.64.0/18 -j REJECT
$IP4 -A "afwall" -d 207.244.64.0/18 -j REJECT
# ---------------

# imrworldwide.com
# ---------------
# 99.84.0.0 - 99.84.255.255
$IP4 -A INPUT -s 99.84.0.0/16 -j REJECT
$IP4 -A "afwall" -d 99.84.0.0/16 -j REJECT
# ---------------

# mopub.com
# ---------------
# 192.48.236.0 - 192.48.237.255
$IP4 -A INPUT -s 192.48.236.0/23 -j REJECT
$IP4 -A "afwall" -d 192.48.236.0/23 -j REJECT

# 216.146.32.0 - 216.146.47.255
$IP4 -A INPUT -s 216.146.32.0/20 -j REJECT
$IP4 -A "afwall" -d 216.146.32.0/20 -j REJECT
# ---------------

# moatads.com
# ---------------
# 184.24.0.0 - 184.31.255.255
$IP4 -A INPUT -s 184.24.0.0/13 -j REJECT
$IP4 -A "afwall" -d 184.24.0.0/13 -j REJECT
# ---------------

# pubmatic.com
# ---------------
# 162.248.16.0 - 162.248.19.255
$IP4 -A INPUT -s 162.248.16.0/22 -j REJECT
$IP4 -A "afwall" -d 162.248.16.0/22 -j REJECT
# ---------------

# bugly.qq.com
# ---------------
# 203.205.128.0 - 203.205.255.255
$IP4 -A INPUT -s 203.205.128.0/17 -j REJECT
$IP4 -A "afwall" -d 203.205.128.0/17 -j REJECT
# ---------------

# turn.com
# ---------------
# 50.116.192.0 - 50.116.255.255
$IP4 -A INPUT -s 50.116.192.0/18 -j REJECT
$IP4 -A "afwall" -d 50.116.192.0/18 -j REJECT
# ---------------

# vertamedia.com
# ---------------
# 67.220.176.0 - 67.220.191.255
$IP4 -A INPUT -s 67.220.176.0/20 -j REJECT
$IP4 -A "afwall" -d 67.220.176.0/20 -j REJECT
# ---------------
Today, 02:50 AM |#87  
Member
Thanks Meter: 9
 
More
I'm having trouble with AFWall+ not flushing all the rules I've set whenever I switch profiles. As such, sometimes when switching from a more-restrictive to a less-restrictive profile, internet access is still cut off.

I'm researching it. I've mapped each rule in the scripts above to their iptables chain, and it appears that setting up a single rule propagates to different chains, and in some cases to the same chain (the afwall chain in particular) more than once... not sure what's up with that.

On recommendation of the app's author, I'm using the afwall chain instead of the output chain, since flushing the output chain prevents the app from recognizing any user-input rules... but the afwall chain appears to take its input from several upstream chains, so the same rules are put into the afwall chain multiple times.

Further, it appears AFWall+ hangs onto internal rules for apps that were installed at the time that AFWall+ was installed... I'd long since uninstalled Ghostery browser in favor of Brave browser, but AFWall+ still had an internal rule allowing it through the firewall. So I uninstalled and reinstalled.

I need to find a packet flow diagram for AFWall+, that'd be a huge help.
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes