[5.0+][ROOT][3.6.0] AFWall+ IPTables Firewall [28 AUG 2023]

Search This thread
By:
Advanced…
B

bthylafh

New member
Apr 6, 2019
1
1
Necessary privs for Signal over cell data?

EDIT: The solution was to give Signal access to roaming cellular data. No idea why this would be, except maybe that I'm on an MVNO that uses T-Mobile's network.

I searched here and on Google, and didn't see anything obviously matching my question:

I have a rooted phone running Lineage 16 & MindTheGapps and want to configure AFWall+ so that only a few apps can use my cellular data when it's active. I'm having a little trouble getting Signal to work correctly: I've given it permission to access LAN, WAN, and non-roaming cellular but it won't send messages until I disable AFWall+. Are there other core or system processes that I should whitelist?

I have the Core processes configured like so:
VPN access for everything.
Full access for the kernel.
Media gets WAN access
NTP gets WAN.
Root apps get everything but cellular and roaming
VPN on WAN only.

System processes:
VPN for everything.
WAN/LAN for CaptivePortalLogin
Non-roaming cellular for com.qualcomm.embms.
Same for a block consisting of Phone and Messaging Storage, Messaging service, com.qualcomm.qti.telephonyservice,com.qti.qualcomm .datastatusnotification, SIM Toolkit, org.codeaurora.ims, com.qualcomm.qcrilmsgtunnel, com.qualcomm.qti.ims, and Phone Services.

I'm testing by disconnecting from my wifi and connecting to data.
 
Last edited:
  • Like
Reactions: Oswald Boelcke
htr5

htr5

Senior Member
May 18, 2014
359
239
LG G4
Samsung Galaxy S10+
• Recently, my SuperSU app asked me to grant AFWall+ root permission again. This usually happens if the app is updated/changed but I hadn't initiate d any update. Did the AFWall+ do something by itself?

• When a new app is installed, the default action is to allow all connections. Would it be possible to switch the default action to block? The user is then required to grant access such as with firewalls on computers.

• Is there any interest from the dev or others for a screen overlay for when a new app is installed (similar to prompts on a computer's firewall)

• Finally, thank you very much. This app has completely transformed the way I use my phone.
 
Last edited:
jcmm11

jcmm11

Recognized Contributor
Feb 10, 2012
3,589
3,614
Google Pixel 4a 5G
htr5 said:
• Recently, my SuperSU app asked me to grant AFWall+ root permission again. This usually happens if the app is updated/changed but I hadn't initiate d any update. Did the AFWall+ do something by itself?

• When a new app is installed, the default action is to allow all connections. Would it be possible to switch the default action to block? The user is then required to grant access such as with firewalls on computers.

• Is there any interest from the dev or others for a screen overlay for when a new app is installed (similar to prompts on a computer's firewall)

• Finally, thank you very much. This app has completely transformed the way I use my phone.
Click to expand...
Click to collapse
For #1 I wouldn't worry about it unless it starts to happen frequently.

For #2 - change the default from 'Block Selected' to 'Allow Selected'. You may have to redo all your rules after changing this. See attached image for where you change this.

#3 - meh. I'm fine with the notification I get when a new program is installed.
 

Attachments

  • Screenshot_20190411-184750.jpg
    Screenshot_20190411-184750.jpg
    17.7 KB · Views: 213
  • Like
Reactions: htr5
cobrax2

cobrax2

Senior Member
Aug 17, 2007
993
126
hi guys
i am on htc 10, android 7
i understand that if i disable the show notification icon setting, the app is going into the background and eventually gets killed. but the rules remain active?
what happens if i let it with the notification on and block it from the android itself with "block all notifications"? will it run then and just wont show me notifications when new apps get installed?
thanks
 
gazzacbr

gazzacbr

Senior Member
Dec 3, 2007
1,175
245
Dubai
htr5 said:
• When a new app is installed, the default action is to allow all connections. Would it be possible to switch the default action to block? The user is then required to grant access such as with firewalls on computers.

• Finally, thank you very much. This app has completely transformed the way I use my phone.
Click to expand...
Click to collapse
I am guessing that you have set for blacklist so by definition everything will be allowed by default.
I much prefer whitelist then I have more control
my 2c
 
  • Like
Reactions: htr5
E

Estebanium

Senior Member
Aug 5, 2015
414
85
How is it possible that the log tells me an App was blocked (mdns UID 1020) while I don't have this App in the list of Apps? I am on Android Pie.
 
G

GeeM

Senior Member
Nov 6, 2007
53
6
Issues with Hotspot and CaptivePortalLogin

Hi there,

I have been using AFWall+ for nearly a month now, I am still getting used to it but so far it has been very positive. However I am still facing 2 major issues: I can't get any internet connection while sharing my mobile data through my wifi hotspot, and whenever I try to login on a public wifi with the CaptivePortalLogin, the app crashes and I cannot access the public Wifi at all. Both the CaptivePortalLogin and the tethering (DHCP+DNS) services are allowed for any connection.

Are these issues related? Is there any other service that I must add to the white list?

Thanks
 
  • Sad
Reactions: lebigmac
Oswald Boelcke

Oswald Boelcke

Senior Moderator / Moderator Committee
Staff member
Apr 13, 2016
25,850
23
59,527
67
Preserving Air Supremacy over XDA
en.wikipedia.org
Samsung Galaxy S III I9300
Asus Transformer TF300T
GeeM said:
Hi there,

I have been using AFWall+ for nearly a month now, I am still getting used to it but so far it has been very positive. However I am still facing 2 major issues: I can't get any internet connection while sharing my mobile data through my wifi hotspot, and whenever I try to login on a public wifi with the CaptivePortalLogin, the app crashes and I cannot access the public Wifi at all. Both the CaptivePortalLogin and the tethering (DHCP+DNS) services are allowed for any connection.

Are these issues related? Is there any other service that I must add to the white list?

Thanks
Click to expand...
Click to collapse
First, I need to admit that I haven't granted internet access to CaptivePortalLogin and it's frozen. Additionally, I've run following code through Termux:

Code: 
su 
pm disable com.android.captiveportallogin  
settings put global captive_portal_detection_enabled 0 
settings put global captive_portal_server localhost 
settings put global captive_portal_mode 0  
reboot
Now my actual question: In preferences => Binaries => DNS Proxy, what is your choice?
 
Last edited:
G

GeeM

Senior Member
Nov 6, 2007
53
6
Oswald Boelcke said:
First, I need to admit that I haven't granted internet access to CaptivePortalLogin and it's frozen. Additionally, I've run following code through Termux:

Code: 
su 
pm disable com.android.captiveportallogin  
settings put global captive_portal_detection_enabled 0 
settings put global captive_portal_server localhost 
settings put global captive_portal_mode 0  
reboot
Now my actual question: In preferences => Binaries => DNS Proxy, what is your choice?
Click to expand...
Click to collapse

Thanks for your help.

I saw the CaptivePortalLogin fix for those who decided they do not want to allow/use the CaptivePortalLogin but I personally don't have any issue with it and that's why I allowed it and thought I would avoid some complications (unless you guys advise I should block it for good reasons)... :confused:

as for the Binaries preferences, it's set on Auto.
 
M

MDV106

Senior Member
Jan 4, 2019
497
172
ASUS ZenFone 8
I am having trouble getting apps like ftp server and KDE connect to work while i use AfWall. Also my WiFi signal in status bar shows an x symbol indicating 'no internet' even though it works. How do i get around these issues. I have blocked all internet access to all apps except for those that require internet access to work.
 
brackenhill_mob

brackenhill_mob

Senior Member
Aug 3, 2005
358
95
Berkhamsted
nVidia Shield Android TV (2017)
Xiaomi Poco X3 NFC
MDV106 said:
I am having trouble getting apps like ftp server and KDE connect to work while i use AfWall. Also my WiFi signal in status bar shows an x symbol indicating 'no internet' even though it works. How do i get around these issues. I have blocked all internet access to all apps except for those that require internet access to work.
Click to expand...
Click to collapse

Turn logging on and see which system service is being denied internet access. You might have to play with this a bit to find the right one. I've had this a couple of times on different roms and this is how I fixed it.
 
M

MDV106

Senior Member
Jan 4, 2019
497
172
ASUS ZenFone 8
brackenhill_mob said:
Turn logging on and see which system service is being denied internet access. You might have to play with this a bit to find the right one. I've had this a couple of times on different roms and this is how I fixed it.
Click to expand...
Click to collapse

I fixed the wifi icon problem by following the commands 2 posts above. The KDE conjnect problem is likely caused by me being connected to a network using the CloudflareDNS$Magisk module so maybe the app is having difficulty picking up my device's Ip address. I decided to uninstall KDE Connect and communicate with my pc using Syncthing-Lite instead.
 
B

blinkycan

Senior Member
Mar 1, 2019
51
11
guys i have read the past few pages about dns but can't find an answers,

Afwall is blocking the new private dns feature of android 9 pie, the dns traffic is reported as "(root) Apps running as root", port 853 TCP

can i easily open that tcp port 853 for DNS over TLS without allowing the whole "Apps running as root"? thanks !
 
Last edited:
  • Like
Reactions: in_out, MDV106 and Ultramanoid
Adrian312

Adrian312

Senior Member
Jan 12, 2009
361
75
Bratislava
blinkycan said:
guys i have read the past few pages about dns but can't find an answers,

Afwall is blocking the new private dns feature of android 9 pie, the dns traffic is reported as "(root) Apps running as root", port 853 TCP

can i easily open that tcp port 853 for DNS over TLS without allowing the whole "Apps running as root"? thanks !
Click to expand...
Click to collapse
Well you can give it a try and let us know :cool:
 
Oswald Boelcke

Oswald Boelcke

Senior Moderator / Moderator Committee
Staff member
Apr 13, 2016
25,850
23
59,527
67
Preserving Air Supremacy over XDA
en.wikipedia.org
Samsung Galaxy S III I9300
Asus Transformer TF300T
GeeM said:
Thanks for your help.

I saw the CaptivePortalLogin fix for those who decided they do not want to allow/use the CaptivePortalLogin but I personally don't have any issue with it and that's why I allowed it and thought I would avoid some complications (unless you guys advise I should block it for good reasons)... :confused:

as for the Binaries preferences, it's set on Auto.
Click to expand...
Click to collapse
I apologise for the late reply but have been busy with other things.
Personally blocked CaptivePortalLogin as provided because I don't want data sent to "http://clients3.google.com" to return a HTTP status code "204". The sent request contains the IP address of the network, time of network address and type of browser. I simply don't want Google to get these data but it's a very personal decision and I've never experienced problems due to my setup. But I know it might lead to problems to e.g. login at a hotel.
Regarding the binary, "auto" is certainly fine but I've disabled "DNS via netd" to allow AFWall+ to clearly match all DNS requests to the respective applications. However, this setting requires that "[0] (root) - Apps running as root" has access to the internet.
 
  • Like
Reactions: trancinguy and Ultramanoid
M

MDV106

Senior Member
Jan 4, 2019
497
172
ASUS ZenFone 8
Oswald Boelcke said:
I apologise for the late reply but have been busy with other things.
Personally blocked CaptivePortalLogin as provided because I don't want data sent to "http://clients3.google.com" to return a HTTP status code "204". The sent request contains the IP address of the network, time of network address and type of browser. I simply don't want Google to get these data but it's a very personal decision and I've never experienced problems due to my setup. But I know it might lead to problems to e.g. login at a hotel.
Regarding the binary, "auto" is certainly fine but I've disabled "DNS via netd" to allow AFWall+ to clearly match all DNS requests to the respective applications. However, this setting requires that "[0] (root) - Apps running as root" has access to the internet.
Click to expand...
Click to collapse

Do you mind explaining what advantage does "to allow AFWall+ to clearly match all DNS requests to the respective applications." provide? Also I followed your previous code segement and it helped remove the "x" symbol next to wifi in status bar.
 
Last edited:
darfri

darfri

Senior Member
Nov 13, 2008
936
64
OnePlus 6T
What does Afwall specifically try to do when tor redirection is on?

Does it try to connect to localhost:9050 to find orbot waiting ?
It doesn't seem to..

I do not want to exhaust my phone with tor running all the time. Instead I use Proxydroid to connect to REMOTE server consisting warmed up tor waiting on tcp9050. Over vpn.

I want to give up using Proxydroid oldie and "release a slot" for more background procresses.

What would be the CUSTOM SCRIPT for that matter?
 
You must log in or register to reply here.

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 404
    ukanth
    ukanth
    Welcome to official support page for AFWall+

    Disclaimer - As Usual. I'll not take any responsible if something goes wrong when using AFWall+
    Click to expand...
    Click to collapse

    Introduction
    AFWall+ is an improved version of DroidWall(front-end application for the powerful iptables Linux firewall). It allows you to restrict which applications are permitted to access your data networks (2G/3G/4G/LTE and/or Wi-Fi and while in roaming).Since the original author of Droidwall
    discontinued the project, I decided to keep the app instead of Avast Firewall. I'll continue to add more features as I can.
    Click to expand...
    Click to collapse


    Features
    - Supports 5.x to 13.x
    - Import/Export Rules to external storage
    - Search Applications
    - Multiple Profiles with custom names
    - Tasker/Locale support
    - Select All/None/Invert/Clear applications with single click
    - Revamped Rules/Logs Viewer with copy/export to external storage
    - Ability to view the network interfaces
    - Highlight system applications with custom color
    - Notify on new installations
    - Ability to hide application icons( faster loading )
    - Use LockPattern for application protection.
    - Show/Hide application ID.
    - Roaming Control for 3G/Edge
    - VPN Control
    - LAN Control
    - Tether Control
    - IPV6 Control
    - Tor Control
    - Choose able languages
    - Choose able iptables/busybox binary
    - Supports MIPS/x86/ARM
    - DNS Hostname
    Click to expand...
    Click to collapse

    Changelog - See third Post
    Current Version - 3.6.0
    Click to expand...
    Click to collapse
    Free Version(3.6.0)
    Donate Version(3.6.0)
    Github(3.6.0)
    F-Droid(3.6.0)


    Unlocker(1.0.2)
    Click to expand...
    Click to collapse

    To get Unlocker without Google services - Please follow the instructions here
    Click to expand...
    Click to collapse

    AFWall+ BETA Program
    1) AFWall+ opt-in for beta program
    2) Install AFWall+ and If you have any issues, just send email from (Menu -> Firewall Rules - > Send error report)
    Click to expand...
    Click to collapse

    Source Code/Wiki/FAQ
    AFWall+ is an free & opensource application
    Github
    Log an issue
    Frequently Asked Questions
    Many Thanks to @CHEF-KOCH
    Click to expand...
    Click to collapse

    Translations
    Translations - Please help me with translations in your language.
    http://crowdin.net/project/afwall
    Click to expand...
    Click to collapse

    Thanks To/Credits
    - German translations by chef@xda & user_99@xda & Gronkdalonka@xda
    - French translations by GermainZ@xda & Looki75@xda
    - Russian translations by Kirhe@xda & YaroslavKa78
    - Spanish translations by spezzino@crowdin
    - Dutch translations by DutchWaG@crowdin
    - Japanese translation by nnnn@crowdin
    - Ukrainian translation by andriykopanytsia@crowdin
    - Slovenian translation by bunga bunga@crowdin
    - Chinese Simplified translation by tianchaoren@crowdin
    - Polish translations by tst,Piotr Kowalski@crowdin
    - Swedish translations by CreepyLinguist@crowdin
    - Greek Translations by mpqo@crowdin
    - Portuguese translations by lemor2008@xda
    - Chinese Traditional by shiuan@crowdin
    - Chinese Simplified by wuwufei,tianchaoren @ crowdin
    - Italian translations by benzo@crowdin
    - Romanian tranlations by mysterys3by-facebook@crowdin
    - Czech translations by Syk3s
    Click to expand...
    Click to collapse

    Cheers,
    ukanth

    XDA:DevDB Information
    AFWall+ [ IPTables Firewall ], App for the Android General

    Contributors
    ukanth
    Source Code: https://github.com/ukanth/afwall


    Version Information
    Status:     Stable
    Current Stable Version: 3.5.3
    Stable Release Date: 2022-06-28
    Current Beta Version:     3.5.3
    Beta Release Date: 2022-06-28

    Created 2013-12-03
    Last Updated 2020-09-05
    View
    70
    ukanth
    ukanth
    Version 3.0.1

    * Fix: Status toggle widget 1x1
    * Fix: Ability to hide ongoing notification (Stop firewall and restart to hide after disable it in preferences)
    * Fix: Firewall error notification on oreo and above
    * Security: Tile toggle checks for password
    * User reported crashes
    * Updated translations

    Previous version 3.0.0

    Features:
    * Better support for nougat/oreo and pie.
    * Firewall toggle tile
    * Adaptive Icons
    * Notification channels
    * Tor support

    Bugs:
    * General bug fixes and crash reports.
    * Language selection bug
    * Filter selection bug
    * Compatible with magisk 17.x
    * Better handling of background process
    * Drops support for 4.x devices
    * Update languages
    * Updated libraries
    Click to expand...
    Click to collapse

    Complete Changelog

    https://github.com/ukanth/afwall/blob/stable/Changelog.md
    Click to expand...
    Click to collapse
    View
    41
    ukanth
    ukanth
    Hello All,

    After careful analysis and testing, I decided not to rewrite the way rules are being applied due to lot of under hood changes required. Instead added few enhancements. Now applying rules from menu will show how many rules are getting applied with progress status. Also when adding/removing few rules , it will apply only those related rules instead of full apply.

    Also fixed couple of bugs and enhancements. You can get the full changelog from https://github.com/ukanth/afwall/blob/beta/Changelog.md

    This is BETA Version which is not released on playstore. I have been using this for past week and it's stable. But there might be bugs which I haven't encountered. Please test it and report it in case of any issues.

    Also I have been following XPrivacy thread on the decision by it's author. Just as FYI, I might fix it for my own usage when I update to nougat, I will share it here if anybody uses it here.

    BETA Link - https://www.dropbox.com/s/isvi413qyx6vb4d/AFWall+ 2.9.7-BETA-TESTER.apk?dl=0
    View
    40
    ukanth
    ukanth
    Hello everyone,

    I have released 3.0.0 stable on playstore today. It's been a crazy month so far. After going through lot of dilemma of whether to support the existing afwall or write a new one from scratch, finally able to pull myself and release stable version of afwall with lots of bug fixes and new features along with pie support. Since I don't do full time Android development, it was hard to keep track of what's going on with sdk level changes.

    Thank you all for your support in AFWall+ development. Without your support it would simply not possible to pull through this.

    I will be out for couple of days ( taking off to spend time with my family ) and hopefully will be able to reply to questions once back.

    Thanks again and have a great day.
    View
    35
    ukanth
    ukanth
    Hello everyone,

    I have released stable version of 3.1.0 to playstore and github. Its live on playstore. You can find the changelog along with md5/sha here

    https://github.com/ukanth/afwall/releases/tag/v3.1.0

    Thank you all for your continuous support in AFWall+ development.
    View

New posts