[5.0+][ROOT][3.6.0] AFWall+ IPTables Firewall [28 AUG 2023]

Search This thread

Oswald Boelcke

Senior Moderator / Moderator Committee
Staff member

ninestarkoko

Senior Member
Nov 26, 2013
515
212
The last few posts were actually about what is probably the same underlying issue.
If the computer connects to the phone wifi but you get no internet, try the dns workaround.
Search the thread for tethering or hotspot to find more info.

I have the same problem, PC connecting to hotspot but without internet ("connection limited"); disabling Afwall solves the problem (one of the most scaring things i rarely do). Also, i haven't tried the DNS trick but, as far as i remember, it didn't happen on previous app versions.

Are there any news about the problem? is there an open bug ticket somewhere?
thanks
 

xdarthanonx

Senior Member
Apr 23, 2015
268
121
I don't have any connection enabled for "[-11](Kernel) - Linux Kernel" and have no issues at all.

giphy.gif
 

pendgy

Senior Member
Sep 8, 2013
57
43
Sofia, Bulgaria
I have the same problem, PC connecting to hotspot but without internet ("connection limited"); disabling Afwall solves the problem (one of the most scaring things i rarely do). Also, i haven't tried the DNS trick but, as far as i remember, it didn't happen on previous app versions.

Are there any news about the problem? is there an open bug ticket somewhere?
thanks

The solution is right here, just few posts ago :)
 
  • Like
Reactions: ninestarkoko

darfri

Senior Member
Nov 13, 2008
936
64
OnePlus 6T
The solution is right here, just few posts ago :)
Works like a charm.
Now if anybody could please tell me what is the difference of using Tor checkbox in afwall and using Proxydroid with localhost:9050
The point is, proxydroid works and Afwall seems to look for exclusively Orbot... no other socks listening on localhost:9050?
 

gazzacbr

Senior Member
Dec 3, 2007
1,175
245
Dubai
I don't have any connection enabled for "[-11](Kernel) - Linux Kernel" and have no issues at all.
Same here (maybe that wasn't clear) although link above recommended unblock. I didn't unblock chrome at first as I don't use it anymore (well, I thought I didn't)
I did read somewhere else that it maybe from kernel development and testing
 

Hiroo Onoda

Member
Apr 22, 2019
49
24
I wanted to share my personal experience with regard to blocking certain system apps which according to the official wiki on Github should be set to allowed. So this isn't meant as a guide, but maybe someone finds this useful still. Also, others may chime in with their findings.

Setup: Galaxy S10e, latest stock firmware, Android Pie, Magisk rooted. Gapps disabled, including Play Services.

---------------------------------

(gps)
- Since I'm blocking almost all other system apps, I'm allowing it (via VPN). Otherwise I won't get location through Osmand/Gmaps.

(Kernel)
- Blocking it. The other day when I checked the log, it listed some Italian host that according to Whois belonged to an Italian garment/textile company. This is just an example of a cursory look at the connections apparently going through (Kernel) which I can sleep better when blocked. Call me lazy for not investigating everything down to the last 0s and 1s, but as long as I don't know and have no reason to trust, I go for block. As justification for giving (Kernel) the green light on all connections, the wiki solely mentions "cases where it needs to be enabled for all connection types", without going into detail. I've read that when deactivating DNS via netd, it'd be mandatory to allow all connections through (Kernel). Note that even though I have disabled netd, I've noticed no issues so far in everyday use of the phone.

(root)
- Blocking it. See (Kernel). Said to be mandatory with disabled netd, but no troubles here yet.

(media server)
- Blocking it. Just like (Kernel), no issues thus far. Naught showing up in AFWall log, either.

(shell)
- Blocking it. Same as (Kernel), the wiki mentions obscure "cases where it needs to be enabled". However, in everyday use I haven't seen such cases yet. Nothing showing up in AFWall log.

(configupdater)
- Blocking it. The wiki recommends to never block it. Guessing by the name of the APK, this one might be related to Google services. Since I don't use any Google apps or services, and have had no probs (no connection tries logged, too), I don't see why this should be allowed.

(downloads, media storage, download manager)
- This one is weird. I always thought it is, as the wiki also states, "required for apps to download content". However, blocking it yields no conceivable downside. I can still access web content via my apps, receive messages, download files, for instance apk updates. Makes me think my AFWall is broken.

(android system - 1000)
- Block. Again, the wiki recommends allow all. But on stock Samsung phones, a lot of APKs that I don't want to "phone home" share this UID. So unblocking it is out of question for me, unless someone convinces me it it'd be essential for security. I used to get an ugly exclamation mark on my wifi icon. Disabling captive portal check as instructed by various guides didn't work for me, it was still there. So what I did was follow this guide (German) to set up an alternative captive portal check destination. I then added that IP as an IPTables exception in AFWall via custom script, so that even if 1000 was blocked, this particular connection would still go through.

(intent filter verification service)
- Blocking. In a discussion on AFWall github an intent filter is mentioned as a security feature, and that it should never be disabled. However, I guess that an intent filter verification service is yet something different than an intent filter. In any case, I never saw any blocked connections from this UID in the log. How can that be if it's such an important security feature that needs internet access and should never be blocked?

-----------------

So that's it. The only system apps I've allowed are (gps) via VPN and (ntp). The phone's apparently been running fine for a couple of days. There is no one size fits all approach for blocking system apps. Everyone needs to make their own decisions based on their setup and go for trial and error.
 
  • Like
Reactions: ninestarkoko

darfri

Senior Member
Nov 13, 2008
936
64
OnePlus 6T
I agree except gps and ntp. I have those also blocked. Are you gapps dependant? I always use gps in device only mode, osmand runs well. I do not have services framework for example installed at all. There are also apps around that allow you to sync time over gps (yup, no data needed), also agps should be used manually.
Btw it is not good idea to leak your position to any vpn as they offer privacy on policy only. Use tor instead if no way around, it rotates your exit node. vpns depend on the current legal standing
And law is always changing due to the weird and twisted ideals they rely on. You can call them as bits of morality selected by certainly immoral goals (or semi-moral which makes out the same anyway)
 
Last edited:

Hiroo Onoda

Member
Apr 22, 2019
49
24
I agree except gps and ntp. I have those also blocked. Are you gapps dependant? I always use gps in device only mode, osmand runs well. I do not have services framework for example installed at all. There are also apps around that allow you to sync time over gps (yup, no data needed), also agps should be used manually.
Btw it is not good idea to leak your position to any vpn as they offer privacy on policy only. Use tor instead if no way around, it rotates your exit node. vpns depend on the current legal standing
And law is always changing due to the weird and twisted ideals they rely on. You can call them as bits of morality selected by certainly immoral goals (or semi-moral which makes out the same anyway)

No Gapps here (all disabled, since I'm running rooted stock). In Osmand, whenever I click the location button I get a toast "Position not yet known". If I enable A-GPS in AFWall, it gets my location after a few seconds. All off ("device only gps"), nothing ever happens. I'll investigate this, might be some other configuration mishap. I was indeed wondering why the actual GPS doesn't seem to work at all.

True, privacy and VPN is very much about trust, but you can certainly choose a VPN with a comparably 'better' privacy policy and a solid reputation. I also don't wanna use Tor for my everyday use for various reasons.

NTP server you can set to something trustworthy, too, via custom script.
 

darfri

Senior Member
Nov 13, 2008
936
64
OnePlus 6T
No Gapps here (all disabled, since I'm running rooted stock). In Osmand, whenever I click the location button I get a toast "Position not yet known". If I enable A-GPS in AFWall, it gets my location after a few seconds. All off ("device only gps"), nothing ever happens. I'll investigate this, might be some other configuration mishap. I was indeed wondering why the actual GPS doesn't seem to work at all.

True, privacy and VPN is very much about trust, but you can certainly choose a VPN with a comparably 'better' privacy policy and a solid reputation. I also don't wanna use Tor for my everyday use for various reasons.

NTP server you can set to something trustworthy, too, via custom script.

You could redirect your obvious activities (real named email, facebook etc) to bypass tor. Btw, tor isn't slow anymore but google is heavily fighting it with captchas waiting on sites (which mostly have commercial interest based scripts waiting anyway). This way of browsing draws a sharp picture how the sites relate to each other comm€r¢ially.

Try app callef GPS status & toolbox
https://play.google.com/store/apps/details?id=com.eclipsim.gpsstatus2
This can keep you on control when a-gps query is engaged. Then disable all sysyem apps's access to anywhere with except entry containing Download Manager. Enable the closest connection for the new app. No tor, no vpn, just direct wifi or data. Then wait for the satellites to randomize their positions (wait for hours, maybe a day) or find any other way to lose your gps signal again (wont probably work because of too fresh LastKnownLocation.
Engage A-gps update in GpsStatus app and see what happens.


You might wanna try bypassing the gps process from vpn and allow data connection for it. Just remember, no vpn for it!

If you have magisk there is a gps tweak you can play with also.
Oh, and if you like tethering you need to allow data connection and port53 for it.
 
  • Like
Reactions: Hiroo Onoda
I had the same issue with tethering my 4G connection via USB. After some digging I found this thread. Please pay attention especially on petersnows25 post. It solved my problem.

You dont know how gratefully I am!! This solved my problem here.

Now I can confirm, that with those few lines of custom script code:
Code:
iptables -A 'afwall' -p udp -m udp --dport 53 -j ACCEPT
iptables -A 'afwall' -p udp -m udp --sport 53 -j ACCEPT

- Wifi-Tethering / Hotspot
- USB-Tethering (WiFi and Mobile Data)
- Bluethooth-Tethering (WiFi and Mobile Data)

are working for me!! This makes me so happy ?
 

phatzilla

Member
Oct 31, 2010
5
0
Is there anyway to have persistent logs while the application is turned on and running? My logs seem to dissapear every hour or so. Running 9.0 arrow OS.
 

markd89

Senior Member
Jul 26, 2007
129
26
Logs/Donate Version

I have AFWall+ installed and working nicely.

I want to view the details inside the logs but it says I have to buy the Donate version.

I don't mind paying, but I don't use Google Play. Is there another way?

Thanks!
Mark
 

Ultramanoid

Senior Member
Apr 24, 2011
3,902
6,774
東京都 Tokyo Metro
I have AFWall+ installed and working nicely.

I want to view the details inside the logs but it says I have to buy the Donate version.

I don't mind paying, but I don't use Google Play. Is there another way?

Thanks!
Mark

There is another way. Searching the thread, or reading the OP, where it says "To get Unlocker without Google services - Please follow the instructions here", which points to :

https://github.com/ukanth/afwall/wiki#making-donations
 
 

Lusty Rugnuts

Senior Member
Apr 17, 2019
120
29
Hi, all.

Just a quick note... if you're using Nebulo DNS-over-HTTPS / DNS-over-TLS, and you've blocked all of Google's CIDR range in AFWall+, Nebulo won't get any traffic.

This is because when Nebulo first gets notification that the network is up, it sets a dummy IP address before it can capture the phone's WiFi or cellular data IP address... and the dummy IP address it sets is 8.8.8.8 (likely because that's what most people have in their resolv.conf as the default DNS server).

Now, if you're like me, you've blocked all of Google's CIDR ranges in one of your AFWall+ profiles, and that's going to play havoc with Nebulo... commenting out the IPtables rule blocking inbound and outbound to 8.8.8.8 fixes it, though.

I've got a bug report in with the Nebulo developers to either change the dummy IP address to something not-Google, or to allow the user to set their own dummy IP address.

{UPDATE}
The Nebulo app's developer has fixed this issue. So now, if you're blocking all of Google's CIDR range, Nebulo will still work.
{/UPDATE}
 
Last edited:
  • Like
Reactions: IronTechmonkey

Lusty Rugnuts

Senior Member
Apr 17, 2019
120
29
{UPDATE}
I think I answered my own question while attempting to create, flush and delete my own IPTables chains... you have to distinguish between tables and the chains within those tables... the commands to flush them are different:

To flush a table:
iptables --wait -t nat -F

To flush a chain:
iptables --wait -F afwall
{/UPDATE}

{UPDATE2}
Nope, I'm still having problems... it appears that the chains I'm using (via . / dot shell scripts) are upstream of the chains used by AFWall+:
afwall-wifi-postcustom
afwall-wifi-tether
afwall-wifi-wan
afwall-3g-home
afwall-3g-tether
bw_happy_box
bw_penalty_box
fw_standby
fw_powersave
fw_dozable
which all use UID matching to ACCEPT or REJECT packets to apps with those UIDs.

So when I set a default DROP policy in the chains I'm using, no data gets through.

So... how do I set a default DROP policy in chains downstream of those AFWall+ is using?

The default policy rules I'm trying to use:
# Default end-of-chain policy
$IP4 -P INPUT DROP
$IP4 -P FORWARD DROP
$IP4 -P OUTPUT DROP
$IP6 -P INPUT DROP
$IP6 -P FORWARD DROP
$IP6 -P OUTPUT DROP

I tried simply removing my default DROP policy rules in my scripts, in an attempt at allowing the default policy rules set by AFWall+ to stand, but AFWall+ went crazy, refused to load the iptables, completely messed up the iptables such that even with the firewall uninstalled no traffic could transit... I flushed (-F) and deleted (-X), then reinstalled AFWall+ to get things working again.
{/UPDATE2}
 
Last edited:

Lusty Rugnuts

Senior Member
Apr 17, 2019
120
29
I've got my scripts for each profile working the way I want, and I've set up my own chains so I'm not disturbing the built-in chains. It all works with one exception... when I switch profiles, the tables and chains aren't being flushed. I have to go into Show Rules > Flush Rules, then back out to the main screen and select Apply, then it starts working.

Here's my setup:
Code:
# This file is placed in /data/local/ as bluwall_basic.sh
# This file is to be used with the AFWall+ Basic profile.
# In AFWall+, under 'Set custom script', enter: '. /data/local/bluwall_basic.sh' (without the quotes)

# NECESSARY AT THE TOP OF EACH SCRIPT!
IP6=/system/bin/ip6tables
IP4=/system/bin/iptables
CELLULAR_IF1="ccmni0"
CELLULAR_IF2="ccmni4"
CELLULAR_TUNNEL1="tun0"
WIFI_IF="wlan0"

# SET UP OUR OWN INPUT and FORWARD CHAINS
# Use afwall as OUTPUT chain, it's automatically flushed on change of profile
$IP4 -N INPUT4
$IP4 -D INPUT -j INPUT4
$IP4 -D INPUT -j INPUT4
$IP4 -A INPUT -j INPUT4

$IP4 -N FORWARD4
$IP4 -D FORWARD -j FORWARD4
$IP4 -D FORWARD -j FORWARD4
$IP4 -A FORWARD -j FORWARD4

$IP6 -N INPUT6
$IP6 -D INPUT -j INPUT6
$IP6 -D INPUT -j INPUT6
$IP6 -A INPUT -j INPUT6

$IP6 -N FORWARD6
$IP6 -D FORWARD -j FORWARD6
$IP6 -D FORWARD -j FORWARD6
$IP6 -A FORWARD -j FORWARD6

# Flush only the tables and chains we use, except OUTPUT
$IP4 --wait -F INPUT4
$IP6 --wait -F INPUT6
$IP4 --wait -F FORWARD4
$IP6 --wait -F FORWARD6
$IP4 --wait -t mangle -F
$IP6 --wait -t mangle -F

... other stuff goes here
 
Last edited:

PoochyX

Senior Member
Oct 23, 2016
2,170
425
Just started using AF firewall today any suggestion guys on what I should block when I enable the firewall it just blocked everything

[emoji3436]I Will Sacrifice For Those That I Love [emoji3434]
 

Top Liked Posts

  • There are no posts matching your filters.
  • 404
    Welcome to official support page for AFWall+

    Disclaimer - As Usual. I'll not take any responsible if something goes wrong when using AFWall+

    Introduction
    AFWall+ is an improved version of DroidWall(front-end application for the powerful iptables Linux firewall). It allows you to restrict which applications are permitted to access your data networks (2G/3G/4G/LTE and/or Wi-Fi and while in roaming).Since the original author of Droidwall
    discontinued the project, I decided to keep the app instead of Avast Firewall. I'll continue to add more features as I can.


    Features
    - Supports 5.x to 13.x
    - Import/Export Rules to external storage
    - Search Applications
    - Multiple Profiles with custom names
    - Tasker/Locale support
    - Select All/None/Invert/Clear applications with single click
    - Revamped Rules/Logs Viewer with copy/export to external storage
    - Ability to view the network interfaces
    - Highlight system applications with custom color
    - Notify on new installations
    - Ability to hide application icons( faster loading )
    - Use LockPattern for application protection.
    - Show/Hide application ID.
    - Roaming Control for 3G/Edge
    - VPN Control
    - LAN Control
    - Tether Control
    - IPV6 Control
    - Tor Control
    - Choose able languages
    - Choose able iptables/busybox binary
    - Supports MIPS/x86/ARM
    - DNS Hostname

    Changelog - See third Post
    Current Version - 3.6.0

    To get Unlocker without Google services - Please follow the instructions here

    AFWall+ BETA Program
    1) AFWall+ opt-in for beta program
    2) Install AFWall+ and If you have any issues, just send email from (Menu -> Firewall Rules - > Send error report)

    Source Code/Wiki/FAQ
    AFWall+ is an free & opensource application
    Github
    Log an issue
    Frequently Asked Questions
    Many Thanks to @CHEF-KOCH

    Translations
    Translations - Please help me with translations in your language.
    http://crowdin.net/project/afwall

    Thanks To/Credits
    - German translations by chef@xda & user_99@xda & Gronkdalonka@xda
    - French translations by GermainZ@xda & Looki75@xda
    - Russian translations by Kirhe@xda & YaroslavKa78
    - Spanish translations by spezzino@crowdin
    - Dutch translations by DutchWaG@crowdin
    - Japanese translation by nnnn@crowdin
    - Ukrainian translation by andriykopanytsia@crowdin
    - Slovenian translation by bunga bunga@crowdin
    - Chinese Simplified translation by tianchaoren@crowdin
    - Polish translations by tst,Piotr Kowalski@crowdin
    - Swedish translations by CreepyLinguist@crowdin
    - Greek Translations by mpqo@crowdin
    - Portuguese translations by lemor2008@xda
    - Chinese Traditional by shiuan@crowdin
    - Chinese Simplified by wuwufei,tianchaoren @ crowdin
    - Italian translations by benzo@crowdin
    - Romanian tranlations by mysterys3by-facebook@crowdin
    - Czech translations by Syk3s

    Cheers,
    ukanth

    XDA:DevDB Information
    AFWall+ [ IPTables Firewall ], App for the Android General

    Contributors
    ukanth
    Source Code: https://github.com/ukanth/afwall


    Version Information
    Status:
    Stable
    Current Stable Version: 3.5.3
    Stable Release Date: 2022-06-28
    Current Beta Version:
    3.5.3
    Beta Release Date: 2022-06-28

    Created 2013-12-03
    Last Updated 2020-09-05
    70
    Version 3.0.1

    * Fix: Status toggle widget 1x1
    * Fix: Ability to hide ongoing notification (Stop firewall and restart to hide after disable it in preferences)
    * Fix: Firewall error notification on oreo and above
    * Security: Tile toggle checks for password
    * User reported crashes
    * Updated translations

    Previous version 3.0.0

    Features:
    * Better support for nougat/oreo and pie.
    * Firewall toggle tile
    * Adaptive Icons
    * Notification channels
    * Tor support

    Bugs:
    * General bug fixes and crash reports.
    * Language selection bug
    * Filter selection bug
    * Compatible with magisk 17.x
    * Better handling of background process
    * Drops support for 4.x devices
    * Update languages
    * Updated libraries

    Complete Changelog

    41
    Hello All,

    After careful analysis and testing, I decided not to rewrite the way rules are being applied due to lot of under hood changes required. Instead added few enhancements. Now applying rules from menu will show how many rules are getting applied with progress status. Also when adding/removing few rules , it will apply only those related rules instead of full apply.

    Also fixed couple of bugs and enhancements. You can get the full changelog from https://github.com/ukanth/afwall/blob/beta/Changelog.md

    This is BETA Version which is not released on playstore. I have been using this for past week and it's stable. But there might be bugs which I haven't encountered. Please test it and report it in case of any issues.

    Also I have been following XPrivacy thread on the decision by it's author. Just as FYI, I might fix it for my own usage when I update to nougat, I will share it here if anybody uses it here.

    BETA Link - https://www.dropbox.com/s/isvi413qyx6vb4d/AFWall+ 2.9.7-BETA-TESTER.apk?dl=0
    40
    Hello everyone,

    I have released 3.0.0 stable on playstore today. It's been a crazy month so far. After going through lot of dilemma of whether to support the existing afwall or write a new one from scratch, finally able to pull myself and release stable version of afwall with lots of bug fixes and new features along with pie support. Since I don't do full time Android development, it was hard to keep track of what's going on with sdk level changes.

    Thank you all for your support in AFWall+ development. Without your support it would simply not possible to pull through this.

    I will be out for couple of days ( taking off to spend time with my family ) and hopefully will be able to reply to questions once back.

    Thanks again and have a great day.
    35
    Hello everyone,

    I have released stable version of 3.1.0 to playstore and github. Its live on playstore. You can find the changelog along with md5/sha here

    https://github.com/ukanth/afwall/releases/tag/v3.1.0

    Thank you all for your continuous support in AFWall+ development.