FORUMS
Remove All Ads from XDA

[5.0+][ROOT][3.2.0] AFWall+ IPTables Firewall [20 OCT 2019]

1,433 posts
Thanks Meter: 4,821
 
By ukanth, Recognized Developer on 26th October 2012, 06:41 PM
Post Reply Email Thread
14th September 2019, 04:40 PM |#5531  
zman519's Avatar
Senior Member
Flag the Land of Beer & Cheese
Thanks Meter: 252
 
More
https://github.com/ukanth/afwall/issues/965 FYI if your running LOS 16 and AFwall+ kills your tethering that script works.
14th September 2019, 07:38 PM |#5532  
Member
Flag Phoenix
Thanks Meter: 35
 
More
Quote:
Originally Posted by Niccolò Paganini

Wrong. I am not missing any config steps. Even if I don't give Internet access to any app, System Update has Internet access and is able to do the updates. This is a major security breach and speaks volumes about this app... Don't be foolished by scam apps.

I think you will find that there is a very knowledgeable group of people here. Trust me on this: if the app was a scam, that would be quickly uncovered.

You have misconfigured something. Exactly what, I cannot say from here.

I will tell you though, that my problems with afwall are almost all related to figuring out exactly what I have to let through to have things working; blocking them is never a problem.

---------- Post added at 06:48 PM ---------- Previous post was at 06:43 PM ----------

I have discovered that, in order to use the private DNS feature of Android 9 (LOS 16), I have to enable "Apps running as root".

What are the implications of this?

My ordinary protocol is that apps that need root to do their jobs are explicitly blocked from any network connection, while apps that need a network connection to do their job are not allowed root. There are a few exceptions to this, but those apps are never allowed to run except when I invoke them for their job, and I immediately shut them down when their job is done.

So, by allowing "Apps running as root" access to the internet, am I subverting my protocol? Will an app that requires root have access through this setting, even when the app-specific settings deny access?

Or is this feature restricted to system-level features?

---------- Post added at 07:38 PM ---------- Previous post was at 06:48 PM ----------

Yes, I just fired up ADB and took a look at the iptables rules.

Without question, "Apps running as root" subverts my protocol, and certainly does allow connections I won't permit.

So, how can I configure private DNS without enabling this?
The Following User Says Thank You to jiml8 For This Useful Post: [ View ] Gift jiml8 Ad-Free
17th September 2019, 10:07 PM |#5533  
Junior Member
Thanks Meter: 0
 
More
AFwall+ init.d or su.d (superSU)
Hello,

I installed AFwall+ on my Asus with LineageOS. In the settings of AFwall+ there is an option to "fix startup data leak" , option that can be enable only if the ROM has support for init.d or su.d (superSU).

How can I do that? I already have Magisk installed.

Thank you.
18th September 2019, 01:13 AM |#5534  
Recognized Contributor
Thanks Meter: 3,298
 
More
Quote:
Originally Posted by Damien111

Hello,

I installed AFwall+ on my Asus with LineageOS. In the settings of AFwall+ there is an option to "fix startup data leak" , option that can be enable only if the ROM has support for init.d or su.d (superSU).

How can I do that? I already have Magisk installed.

Thank you.

Just check the box and make sure you've selected an option in the line before it "Startup directory path for script". Doesn't matter which one you choose. sbin is theoretically more future proof, but at the moment they both point to the same physical spot.

The verbiage is outdated, but it does work with Magisk
The Following User Says Thank You to jcmm11 For This Useful Post: [ View ] Gift jcmm11 Ad-Free
18th September 2019, 01:34 AM |#5535  
Senior Member
Thanks Meter: 387
 
More
After upgrading to Android 10, my vpn app is unable to connect to its servers and create a vpn connection, if rules are applied and I'm on cellular data (the vpn connects fine on wifi). If I disable the firewall, my vpn app connects without a problem over cellular data. I have the vpn app and vpn networking (1016) enabled in Afwall. Any ideas?

[Edit: I tried enabling every app and service listed in Afwall and the vpn app still cannot connect over cellular data. Then I tried in addtion enabling the "any app" (-10) option and it connected. So it seems like with Android 10 there is some new service that is not showing up in the list of services on Afwall.]

[Edit: I posted a bug report on this and got a response on what the issue is from ukanth: https://github.com/ukanth/afwall/issues/1021]
The Following User Says Thank You to cb474 For This Useful Post: [ View ] Gift cb474 Ad-Free
19th September 2019, 05:15 AM |#5536  
Senior Member
Flag Hyderabad
Thanks Meter: 101
 
More
Can I make afwall block internet access to apps in shelter work profile? I did enable the experiment mode, however, afwall only shows the app if its also in the main profile. Is there a way to have afwall to show app from work profile without having the same app in main profile ?
19th September 2019, 06:50 AM |#5537  
白い熊's Avatar
Senior Member
Flag 相撲道
Thanks Meter: 255
 
More
Did you try installing Afwall in Shelter and blocking there? It might work…
20th September 2019, 04:23 PM |#5538  
Senior Member
Flag Hyderabad
Thanks Meter: 101
 
More
Quote:
Originally Posted by 白い熊

Did you try installing Afwall in Shelter and blocking there? It might work…

If I do, ill have to give root access to afwall which is not available for work profile
20th September 2019, 04:43 PM |#5539  
Senior Member
Thanks Meter: 66
 
More
Quote:
Originally Posted by 5h1v4u

Can I make afwall block internet access to apps in shelter work profile? I did enable the experiment mode, however, afwall only shows the app if its also in the main profile. Is there a way to have afwall to show app from work profile without having the same app in main profile ?

Apps that exist only on work profile don't appear in afwall as far as I remember.
You can use a custom script to block those apps. You need to figure out the app uid and add a rule to block that.

BTW, you might want to switch to "allow selected" mode (whitelist) which would block everything except for selected apps, including blocking all work profile apps even though they don't appear in afwall.
If you have any apps that exist only in the work profile and you want them to have internet access, you would have to manually allow them using custom scripts because of the same issue you originally mentioned. In that case you end up in the same place basically.
23rd September 2019, 03:39 PM |#5540  
Senior Member
Thanks Meter: 17
 
More
Hi,

Can someone please recommend an app that will log all connections (IP and port) used by a specific app?

Using a custom script, I have blacklisted all Google IPs but I want to whitelist the IPs needed for Waze. I have a second phone without AFWall that I can use to test and get the the address info.

Thanks much!
Mark
23rd September 2019, 03:51 PM |#5541  
Oswald Boelcke's Avatar
Forum Moderator / Recognized Translator
Flag Preserving Air Supremacy over XDA
Thanks Meter: 7,735
 
More
Quote:
Originally Posted by markd89

Hi,

Can someone please recommend an app that will log all connections (IP and port) used by a specific app?

Using a custom script, I have blacklisted all Google IPs but I want to whitelist the IPs needed for Waze. I have a second phone without AFWall that I can use to test and get the the address info.

Thanks much!
Mark

Maybe Lumen Privacy Monitor serves your needs?
The Following User Says Thank You to Oswald Boelcke For This Useful Post: [ View ] Gift Oswald Boelcke Ad-Free
Post Reply Subscribe to Thread

Tags
block internet, droidwall, firewall, iptables, security

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes