[5.0+][ROOT][3.6.0] AFWall+ IPTables Firewall [28 AUG 2023]

Lusty Rugnuts said:

Not if you're using Google Maps, it won't. I use MapFactor Navigator, with OsmAnd map data. That way I can be offline completely and still use GPS, all I need is Location enabled for it to work.

It's strange if AFWall+ is affecting your GPS, it shouldn't... I've got GPS unchecked in all my AFWall+ profiles. Perhaps you've somehow blocked or disabled Fused Location in Settings > Apps?

Click to expand...

Click to collapse

Nope, Fused Location is one of the apks I haven't disabled. But there's a bunch of others, so I'll have to check each of them.

Ok, I had a chance to dig into my problem a bit more...

Running the command: ip6tables -L -v -n shows:
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
15319 1119K afwall all * * ::/0 ::/0
16031 1142K oem_out all * * ::/0 ::/0
16031 1142K firewall all * * ::/0 ::/0
16031 1142K fw_OUTPUT all * * ::/0 ::/0
16031 1142K st_OUTPUT all * * ::/0 ::/0
16031 1142K bw_OUTPUT all * * ::/0 ::/0

So the afwall chain is connected to the OUTPUT chain... so I'm wondering why, when I set simple rules (via a .sh script) such as: $IP6 -A afwall -d 2404:6800:4000::/36 -j DROP, I'm getting "No chain/target/match by that name." for each IPv6 rule I enter? Especially so, since if I manually enter that rule via adb, there is no error.

Can I use the "firewall" chain, rather than the "afwall" chain? It's attached to both INPUT and OUTPUT chains. Is it automatically flushed upon a change of AFWall+ profile?

Here's something else strange:
In my script, I enter the rule:
$IP6 -A afwall -s 2a00:1450:4000::/36 -j REJECT
AFWall+ gives the "No chain/target/match by that name." error in the logs at the bottom of the 'Iptables rules' window.
But the rule does show up under the afwall chain.
Now, when I then issue via superuser adb shell:
ip6tables -D afwall -s 2a00:1450:4000::/36 -j REJECT
ip6tables -D afwall -s 2a00:1450:4000::/36 -j REJECT
I get the expected "ip6tables: Bad rule (does a matching rule exist in that chain?)." because I've deleted that rule.
But if I refresh the AFWall+ 'Iptables rules' window, that rule is still there.
So the AFWall+ Refresh command isn't working correctly.

Sorry if this may be asked too much, but I just started using AFWall to block apps that I don't trust like Samsung apps and Swiftkey, but I also use Private Internet Access as my VPN, and it cancels out the AFWall firewall. Is there any way to configure it to work with PIA as my always-on VPN?

Ok, I dove deep on the problem, and figured out that AFWall+ must not like the iptables for this system (Android Nougat 7.0.04.13, rooted with TWRP as bootloader and Magisk as root).

I uninstalled AFWall+ and started fresh.

Under:
AFWall+ Preferences > Experimental Features > Startup directory for script, I set it to /data/adb/service.d/
AFWall+ Preferences > Profiles > I enabled multiple profiles and 'Apply rules on profile switch'.
AFWall+ Preferences > Binaries > Iptables binary, I set it to 'Built-in iptables'.
AFWall+ Preferences > Binaries > BusyBox binary, I set it to 'Built-in BusyBox'.

At the top of my .sh scripts, I'd been using (taken from here):
# NECESSARY AT THE TOP OF EACH SCRIPT!
IP6=/system/bin/ip6tables
IP4=/system/bin/iptables

I changed it to:
# NECESSARY AT THE TOP OF EACH SCRIPT!
IP6=ip6tables
IP4=iptables

And I enabled:
[-12] (tethering) - DHCP+DNS services (dev.afwall.special.tether)
... and aside from Nebulo glitching and not passing DNS requests after an AFWall+ profile change (I have to stop Nebulo and start it for it to work... a bug report is in with the app's developer), everything seems to work!

Still need the auto-flush chain on at least the INPUT chain, though. Maybe the app's dev can hang an auto-flush chain off PREROUTING... blocking incoming packets further upstream means fewer CPU cycles consumed in blocking them, and that's important on a battery-operated device.

On Pixel 3 XL when disconnecting from WiFi and switching to data, there is no connection available until I turn off afwall, is anyone else seeing this issue and does anyone have a workaround

Oswald Boelcke said:

No connection on mobile data or no internet access?

Click to expand...

Click to collapse

Both until I disable Afwall, once I disable it, everything works

Can someone tell me the reason for the usage of slashes in ip addresses?
For instance: 224.0.0.0/4

Estebanium said:

Can someone tell me the reason for the usage of slashes in ip addresses?
For instance: 224.0.0.0/4

Click to expand...

Click to collapse

CIDR is the short for Classless Inter-Domain Routing, an IP addressing scheme that replaces the older system based on classes A, B, and C. A single IP address can be used to designate many unique IP addresses with CIDR. A CIDR IP address looks like a normal IP address except that it ends with a slash followed by a number, called the IP network prefix. CIDR addresses reduce the size of routing tables and make more IP addresses available within organizations.
https://www.ipaddressguide.com/cidr

eriol1 said:

Just updated to 2.9.9
Had to disable/enable log service before toasts started showing up. Other than that everything's great so far.
Love the dual app support.
I'm using island for dual apps and afwall is doing exactly what I would expect.
Thanks.

Click to expand...

Click to collapse

ver. 3.1.0
Do you check Dual Apps opt only or Multi-User opt also?
Do you clone AFWall+ to Island?

vip5912 said:

ver. 3.1.0
Do you check Dual Apps opt only or Multi-User opt also?
Do you clone AFWall+ to Island?

Click to expand...

Click to collapse

Only dual apps.
Did not clone afwall to island.
When dual apps is checked in afwall, cloned apps appear in afwall main rule screen so they can be allowed/blocked like regular apps.

eriol1 said:

Only dual apps.
Did not clone afwall to island.
When dual apps is checked in afwall, cloned apps appear in afwall main rule screen so they can be allowed/blocked like regular apps.

Click to expand...

Click to collapse

The AFWALL in the Mainland don't see the applications which are not installed in Mainland (only in Island).
It see only dual apps.
I clone AFWALL to Island and this clone see the applications in Island.
But I don't know will the problem be with using two AFWALL (Mainland and Island).
I checked Multi-User opt and selected blacklist mode.
Do I need check Dual App opt in this case?
I have some apps in Mainland, some in Island and some dual (in Mainland & Island).

vip5912 said:

The AFWALL in the Mainland don't see the applications which are not installed in Mainland (only in Island).
It see only dual apps.
I clone AFWALL to Island and this clone see the applications in Island.
But I don't know will the problem be with using two AFWALL (Mainland and Island).
I checked Multi-User opt and selected blacklist mode.
Do I need check Dual App opt in this case?
I have some apps in Mainland, some in Island and some dual (in Mainland & Island).

Click to expand...

Click to collapse

I'm guessing using 2 afwall apps would not work.
Since there is only one iptables in the system, both afwall apps would just overwrite each other's rules every time they apply, so probably the last one to apply would win.
I tried cloning afwall to island to test but I don't seem to have root in island apps and I don't have the patience to figure out how to get it working. I'd rather not have root available for island apps anyway.

I'm not sure why island apps don't appear in afwall (mainland) after being removed from mainland. Might be a bug in afwall or simply an android limitation.
Maybe @ukanth can clarify.

eriol1 said:

I'm guessing using 2 afwall apps would not work.
Since there is only one iptables in the system, both afwall apps would just overwrite each other's rules every time they apply, so probably the last one to apply would win.
I tried cloning afwall to island to test but I don't seem to have root in island apps and I don't have the patience to figure out how to get it working. I'd rather not have root available for island apps anyway.

I'm not sure why island apps don't appear in afwall (mainland) after being removed from mainland. Might be a bug in afwall or simply an android limitation.
Maybe @ukanth can clarify.

Click to expand...

Click to collapse

As I understand there is the multi-user opt for this case. I check this opt in the both afwalls and select blacklist mode (block selected).
Multi-user opt is only for blacklist mode!
Then I check the dual-apps opt off and I see Mainland apps in Mainland afwall and Island apps in Island AFWall
For root right in Island you need check this opt in Magisk setup. You can select use one Magisk Manager for both profiles or use two different Magisk Managers in Mainland and Island.
I use second opt. I clone Magisk Manager to Island. I need root right in Island for some apps (i.e. Migrate for backup Island apps).

Estebanium said:

Can someone tell me the reason for the usage of slashes in ip addresses?
For instance: 224.0.0.0/4

Click to expand...

Click to collapse

That specifies a CIDR range... a range of IP addresses. It's a way of entering a large range of IP addresses in a very short format.

For example:
# DROP the entire internet
iptables -I afwall -d 0.0.0.0/0 -j DROP
ip6tables -I afwall -d ::/0 -j DROP

That's 4,294,967,296 IPv4 IP addresses, and 340,282,366,920,938,463,463,374,607,431,768,211,456 IPv6 IP addresses.

I've used it in my AFWall+ settings to block all of Google's CIDR ranges in my Default firewall profile.

You can find all IP addresses for a company here.

You can aggregate CIDR ranges to minimize your firewall entries here.

In your case, it'd be 224.0.0.1 to 239.255.255.254.
Network = 224.0.0.0
Usable IPs = 224.0.0.1 to 239.255.255.254 for 268435454
Broadcast = 239.255.255.255
Netmask = 240.0.0.0
Wildcard Mask = 15.255.255.255

eriol1 said:

I'm guessing using 2 afwall apps would not work.
Since there is only one iptables in the system, both afwall apps would just overwrite each other's rules every time they apply, so probably the last one to apply would win.
I tried cloning afwall to island to test but I don't seem to have root in island apps and I don't have the patience to figure out how to get it working. I'd rather not have root available for island apps anyway.

I'm not sure why island apps don't appear in afwall (mainland) after being removed from mainland. Might be a bug in afwall or simply an android limitation.
Maybe @ukanth can clarify.

Click to expand...

Click to collapse

Actually, they could try this:
Set up one AFWall+ to use the system's iptables, and the other to use AFWall+'s built-in iptables.

I haven't tried it, but it should allow the two iptables to co-exist without cross-feeding.

custon3 said:

It's happening to me that when applying rules from the afwal menu,
90% of the time it hangs in the window "status: checking root" and I have to leave the app
force stop and clear cache. I'm not sure if the problem is caused by afwall or by magisk.
afwall + 3.1.0 free, whitelist, custom script, android 9 (mokee9), magisk 18.1.

Click to expand...

Click to collapse

Checking some logcat I found errors of the widget when I passed the bug when applying the rules.Making tests, after the app was blocked when applying the rules, I launched an afwall widget and pressed one of the options. (afwall was unlocked)
My impression is that there is some conflict between the switch to apply rules and the widget switch.I hope this helps @ukanth to debug this bug.

Lusty Rugnuts said:

Ok, I dove deep on the problem, and figured out that AFWall+ must not like the iptables for this system (Android Nougat 7.0.04.13, rooted with TWRP as bootloader and Magisk as root).

I uninstalled AFWall+ and started fresh.

Under:
AFWall+ Preferences > Experimental Features > Startup directory for script, I set it to /data/adb/service.d/
AFWall+ Preferences > Profiles > I enabled multiple profiles and 'Apply rules on profile switch'.
AFWall+ Preferences > Binaries > Iptables binary, I set it to 'Built-in iptables'.
AFWall+ Preferences > Binaries > BusyBox binary, I set it to 'Built-in BusyBox'.

At the top of my .sh scripts, I'd been using (taken from here):
# NECESSARY AT THE TOP OF EACH SCRIPT!
IP6=/system/bin/ip6tables
IP4=/system/bin/iptables

I changed it to:
# NECESSARY AT THE TOP OF EACH SCRIPT!
IP6=ip6tables
IP4=iptables

And I enabled:
[-12] (tethering) - DHCP+DNS services (dev.afwall.special.tether)
... and aside from Nebulo glitching and not passing DNS requests after an AFWall+ profile change (I have to stop Nebulo and start it for it to work... a bug report is in with the app's developer), everything seems to work!

Still need the auto-flush chain on at least the INPUT chain, though. Maybe the app's dev can hang an auto-flush chain off PREROUTING... blocking incoming packets further upstream means fewer CPU cycles consumed in blocking them, and that's important on a battery-operated device.

Click to expand...

Click to collapse

{UPDATE}
I've run with the above settings for awhile now, and they're not working correctly. The issues I've had with running the iptables built-in to AFWall+:
1) AFWall+ is very slow to flush and update iptables / ip6tables. It pauses for a long time twice as rules load, and rules loading is painfully slow even between the pauses.

2) Sometimes, AFWall+ reports that it's unable to gain root, then it doesn't load any iptables at all (the Rules window is completely blank) and the firewall disables.

3) Even when AFWall+ does successfully apply the new rules on a change of profile, when I close the AFWall+ window, it shows in the notifications that AFWall+ is applying the rules again. If I then open AFWall+ again and go to the Rules window, the rules are entered twice for each rule. Strangely, it seems it's only doing this for IPv4 rules... running:
adb shell
su
iptables -L
shows the twice-entered rules in the IPv4 iptable, whereas running:
adb shell
su
ip6tables -L
shows the rules don't seem to be twice-entered in the IPv6 iptable.

So I've changed things again:
Under:
AFWall+ Preferences > Experimental Features > Startup directory for script, I set it to /data/adb/service.d/
AFWall+ Preferences > Profiles > I enabled multiple profiles and 'Apply rules on profile switch'.
AFWall+ Preferences > Binaries > Iptables binary, I set it to 'System iptables'.
AFWall+ Preferences > Binaries > BusyBox binary, I set it to 'System BusyBox'.

At the top of my .sh scripts:
# NECESSARY AT THE TOP OF EACH SCRIPT!
IP6=/system/bin/ip6tables
IP4=/system/bin/iptables

Thus far, AFWall+ switches profiles really quickly, and thus far I've not gotten the error dialog stating that AFWall+ couldn't gain root.

I'm using the Stericson BusyBox.

So it appears there are problems with AFWall+'s built-in iptables and busybox. Or perhaps trying to have AFWall+ do everything (manage profiles, wrangle internal iptables, run internal busybox, etc.) was just too much, and things were timing out, but I've got a 1.3 GHz octa-core CPU and the problems haven't appeared using system iptables and system BusyBox, except for the rules duplication issue when the AFWall+ window is closed (described above).
{/UPDATE}

{UPDATE2}
I'm trying something new in the custom scripts... explicitly denoting the path to iptables, even for the built-in AFWall+ iptables:

# NECESSARY AT THE TOP OF EACH SCRIPT!
# NOTE: You must change each {$IP4S | $IP4A | $IP4D} and {$IP6S | $IP6A | $IP6D}
# to reflect your use of System, AFWall+ or AFWall+(Donate version) iptables
# -------------------------
# System iptables
IP6S=/system/bin/ip6tables
IP4S=/system/bin/iptables

# AFWall+ iptables
IP6A=/data/data/dev.ukanth.ufirewall/app_bin/ip6tables
IP4A=/data/data/dev.ukanth.ufirewall/app_bin/iptables

# AFWall+Donate iptables
IP6D=/data/data/dev.ukanth.ufirewall.donate/app_bin/ip6tables
IP4D=/data/data/dev.ukanth.ufirewall.donate/app_bin/iptables
# -------------------------

So for instance, a ruleset for the system's iptables would be:
# DROP invalid packets
$IP4S -A afwall -m state --state INVALID -j DROP
$IP6S -A afwall -m state --state INVALID -j DROP

... whereas for the in-built iptables in the free version of AFWall+, it'd be:
# DROP invalid packets
$IP4A -A afwall -m state --state INVALID -j DROP
$IP6A -A afwall -m state --state INVALID -j DROP

... and for the iptables in the Donate version of AFWall+ it'd be:
# DROP invalid packets
$IP4D -A afwall -m state --state INVALID -j DROP
$IP6D -A afwall -m state --state INVALID -j DROP

I'm going to switch back to using AFWall+'s built-in iptables to see how it works with the above.
{/UPDATE2}

{ASIDE}
Hmmm... I wonder... if I set AFWall+ to use its internal iptables, but explicitly denoted that the rules I load via dot shell script use the system iptables, would that allow the phone to use both iptables, which would mean I could flush INPUT and OUTPUT chains in the system iptables (via the dot shell script) without affecting the AFWall+ iptables?

Because that'd give us a means of INPUT and OUTPUT packet filtering, whereas now we only have OUTPUT packet filtering (via the 'afwall' chain). Which means we could block scans, exploits, etc.

Must experiment.
{/ASIDE}

Does anyone have any idea why AFWall+ doesn't work for me? It instantly blocks everything (internet simply doesn't work anymore, both on wifi and mobile data). I tried restarting it, rebooting, tried enabling it in Xposed module (Magisk's EdXposed) but no success. I don't even have to select anything from the menu, as soon as I enable firewall internet access is just gone (for all apps, browsers...). I tried installing multiple versions (including paid one) but it's all the same. Tried changing binaries but nothing works, as soon as I enable it internet is gone no matter what I do. I have Xiaomi mi 9 on MIUI10 (android pie) running custom ROM (Xiaomi.eu latest weekly version) but I did also try to run this app on few weeks older versions with same results. Does anyone have any idea what is happening? I haven't seen anyone having this problem.

squid2g said:

Does anyone have any idea why AFWall+ doesn't work for me? It instantly blocks everything (internet simply doesn't work anymore, both on wifi and mobile data). I tried restarting it, rebooting, tried enabling it in Xposed module (Magisk's EdXposed) but no success. I don't even have to select anything from the menu, as soon as I enable firewall internet access is just gone (for all apps, browsers...). I tried installing multiple versions (including paid one) but it's all the same. Tried changing binaries but nothing works, as soon as I enable it internet is gone no matter what I do. I have Xiaomi mi 9 on MIUI10 (android pie) running custom ROM (Xiaomi.eu latest weekly version) but I did also try to run this app on few weeks older versions with same results. Does anyone have any idea what is happening? I haven't seen anyone having this problem.

Click to expand...

Click to collapse

When you start AFWall look on top at the icon next to the search icon. The one with 3 horizontal bars and a check mark. Click on that. Which option is checked?