[5.0+][ROOT][3.5.1] AFWall+ IPTables Firewall [19 APR 2021]

Search This thread

eriol1

Senior Member
Feb 16, 2015
174
110
Is it safe to disable all connections on gps?
I use GPS in what used to be called "device only" mode, and it still works when blocked.
Maybe high accuracy mode which uses also bluetooth/wifi/cell won't work? Haven't tried.

Anyway I'm guessing results might be different on other device/os combinations, so just try blocking and see if it works for you. If not simply change it back, no harm done.
 
  • Like
Reactions: IronTechmonkey

IronTechmonkey

Recognized Contributor
Feb 12, 2013
7,652
10,630
Is it safe to disable all connections on gps?

I use GPS in what used to be called "device only" mode, and it still works when blocked.
Maybe high accuracy mode which uses also bluetooth/wifi/cell won't work? Haven't tried.

Anyway I'm guessing results might be different on other device/os combinations, so just try blocking and see if it works for you. If not simply change it back, no harm done.

Safe? Yes absolutely, you won't damage anything by blocking GPS. Also, regarding a recent concern that was expressed about blocking everything, it is safe to block just about any app or service. Some things may not work but they won't break. If they did we sure would have trouble when disconnected from the internet.

As to functionality, to @eriol1's point, "device only" GPS does not seem to require any data connection even for the GPS service on the device. That being said, there are some 3rd party GPS utilities which will download a file possibly containing a list of satellites or other data but those request seemed to be made by the app which can be blocked. Another consideration is Google's ongoing attempt to obfuscate our granular control of location services. For instance, in newer versions of Android we can no longer simply enable “device only” mode. We must now manually disable the internet based location services. LOL, pardon that rant but this is one of my pet peeves about Google and one of the reasons I use Afwall+
 
Last edited:

temporarium

Senior Member
May 16, 2012
787
408
Safe? Yes absolutely, you won't damage anything by blocking GPS. Also, regarding a recent concern that was expressed about blocking everything, it is safe to block just about any app or service. Some things may not work but they won't break. If they did we sure would have trouble when disconnected from the internet.

As to functionality, to @eriol1's point, "device only" GPS does not seem to require any data connection even for the GPS service on the device. That being said, there are some 3rd party GPS utilities which will download a file possibly containing a list of satellites or other data but those request seemed to be made by the app which can be blocked. Another consideration is Google's ongoing attempt to obfuscate our granular control of location services. For instance, in newer versions of Android we can no longer simply enable “device only” mode. We must now manually disable the internet based location services. LOL, pardon that rant but this is one of my pet peeves about Google and one of the reasons Afwall+
<OT> There is also microG with alternative geolocation backends. </OT>
 

savelbys

Member
Mar 9, 2020
34
9
Hello,

does anyone know how I can remove the x/no internet connection possible at the WLAN icon in Android 11 LineageOS 18.1?
I assume this has something to do with the captive portal check.
To solve the problem in the short term, you have to disable the firewall, turn WLAN off/on and enable it again. However, after a reboot the problem still persists.

I have already tried the following which unfortunately does nothing, but worked on Android 10:

su
setenforce 0
settings put global captive_portal_mode 0
setenforce 1

and

su
su
pm disable com.android.captiveportallogin
settings put global captive_portal_detection_enabled 0
settings put global captive_portal_server localhost
settings put global captive_portal_mode 0
reboot
 

Hiroo Onoda

Member
Apr 22, 2019
49
24
Hello,

does anyone know how I can remove the x/no internet connection possible at the WLAN icon in Android 11 LineageOS 18.1?
I assume this has something to do with the captive portal check.
To solve the problem in the short term, you have to disable the firewall, turn WLAN off/on and enable it again. However, after a reboot the problem still persists.

I have already tried the following which unfortunately does nothing, but worked on Android 10:

su
setenforce 0
settings put global captive_portal_mode 0
setenforce 1

and

su
su
pm disable com.android.captiveportallogin
settings put global captive_portal_detection_enabled 0
settings put global captive_portal_server localhost
settings put global captive_portal_mode 0
reboot

It's been a while since I set AFWall up on my Android 11, so I can't tell you exactly. Also, I don't have Lineage, just stock Android 11. I have allowed connection on the following system apps and got the x to go away, so I believe they may be related:

[-11] Linux kernel
[1073] Tethering, Cell Broadcast Service, Network manager, com.android.server.NetworkPermissionConfig
 

q1nt

New member
Apr 26, 2020
3
2
For AFW+ to work, do I need to leave super user access enabled (using Magisk) aways? Or can I disable su access after setting up AF+ the first time? Reason is I prefer to leave su disabled for a bit more security when I'm out running around.

Background: I'm rooted but now using Netguard. Considering switching to AFW+ so I can use another VPN.
 

starbright_

Senior Member
Apr 11, 2010
1,275
207
My knowledge becomes a bit outdated after switch to Android 11 (debloated Stock with microG).

From system side I blocked everything except Download Manager. But I found that Network manager is required to use Aurora (Playstore replacement).
Is this ok? Other things I have to take into account?
 

SilentDevGuy

Senior Member
Feb 10, 2021
65
19
My knowledge becomes a bit outdated after switch to Android 11 (debloated Stock with microG).

From system side I blocked everything except Download Manager. But I found that Network manager is required to use Aurora (Playstore replacement).
Is this ok? Other things I have to take into account?
What happens to aurora store if you have network manager blocked?
 
Aug 12, 2010
44
8
Not on Github, therefore here: 1+8 with crDroid 7.4 (A11). After every boot, firewall enables with rules error. Need to wait like 2min, then disable and re-enable firewall again to get it running w/o errors.
Yes, could set the boot delay option, but I want protection even while booting.
 

starbright_

Senior Member
Apr 11, 2010
1,275
207
@ukanth: Thanks fo your work!

Per default I use standard setting (all is disabled) and enable those apps that need ethernet. For system services it is much more difficult. Is there anything expect the "Download manager" that is required?
I found that Aurora is not working without "network stack".
There is one superservice with uid 1000, that contains a lot of stuff. Does it need ethernet connection?
Any other settings that are not obviously, but should be set?
Is there some kind of howto for beginners? Anything to be set in binary/experimental/security section.

Above was mentioned GPS. It is ok just to download the (anonymous) AGPS data, but which services does it? There are several services that seems to have GPS in its name.

--

What is really bad (at least for my Samsung): There is a service com.samsung.android.kgclient - which is in AWFall listed (very anonymous) as "device services". It can't be uninstalled and blocking it causes high load.
So it seems that services knows there is a ethernet connection and forces to connect. Is there a way of faking "no ethernet available" to it?
 

SilentDevGuy

Senior Member
Feb 10, 2021
65
19
@ukanth: Thanks fo your work!

Per default I use standard setting (all is disabled) and enable those apps that need ethernet. For system services it is much more difficult. Is there anything expect the "Download manager" that is required?
I found that Aurora is not working without "network stack".
There is one superservice with uid 1000, that contains a lot of stuff. Does it need ethernet connection?
Any other settings that are not obviously, but should be set?
Is there some kind of howto for beginners? Anything to be set in binary/experimental/security section.

Above was mentioned GPS. It is ok just to download the (anonymous) AGPS data, but which services does it? There are several services that seems to have GPS in its name.

--

What is really bad (at least for my Samsung): There is a service com.samsung.android.kgclient - which is in AWFall listed (very anonymous) as "device services". It can't be uninstalled and blocking it causes high load.
So it seems that services knows there is a ethernet connection and forces to connect. Is there a way of faking "no ethernet available" to it?
The FAQ is ideally where you want to go right now, that IS the HOWTO for beginners.
Also, we need to know your device to even begin helping you, many phones work perfectly fine with EVERYTHING except wanted apps blocked.
 

starbright_

Senior Member
Apr 11, 2010
1,275
207
I played with Aurora - store, could login after enabled Network stack. But I couldn't download anything. Enabling Download manager doesn't help. I see some blocks of 11 (kernel) and ICMP and mdns. But even after enabling 11/kernel and mdns I see still some ICMP 11 block messages?!? And it doesn't download.

I disabled/enabled Wifi but behaviour keeps same.
 

eriol1

Senior Member
Feb 16, 2015
174
110
I played with Aurora - store, could login after enabled Network stack. But I couldn't download anything. Enabling Download manager doesn't help. I see some blocks of 11 (kernel) and ICMP and mdns. But even after enabling 11/kernel and mdns I see still some ICMP 11 block messages?!? And it doesn't download.

I disabled/enabled Wifi but behaviour keeps same.
Maybe try recording traffic with tcpdump? Should allow you to see what exactly the flow looks like and what requests aren't getting through but should
 

SilentDevGuy

Senior Member
Feb 10, 2021
65
19
I played with Aurora - store, could login after enabled Network stack. But I couldn't download anything. Enabling Download manager doesn't help. I see some blocks of 11 (kernel) and ICMP and mdns. But even after enabling 11/kernel and mdns I see still some ICMP 11 block messages?!? And it doesn't download.

I disabled/enabled Wifi but behaviour keeps same.
Before using tcpdump which theorhetically shouldnt give you any more information on blocked requests then the afwall log should, you should tell us what device you are using or at least the rom i.e. OneUI or OxygenOS. Without knowing at least that much I cant debug if its your device or afwall causing the issue. Also, ON SOME DEVICES aurora store will not work if google play services are blocked, start there and get back too me.

Edit: This is precisely why Ukanth requested the issue raised on github with logs provided, further information is neccasary
 

ukanth

Recognized Developer
Nov 30, 2010
1,513
5,227
Nexus 7 (2013)
OnePlus X
Hello all,

I have fixed the logging issue for both LOG/NFLOG chains. Instead of using toasts, I have been thinking of using notification to show the denied requests. Adding this to notification bar helps in enabling more features like giving excemption for an app or even show allowed requests as well.

Wanted to get community inputs on this.
 

IronTechmonkey

Recognized Contributor
Feb 12, 2013
7,652
10,630
Hello all,

I have fixed the logging issue for both LOG/NFLOG chains. Instead of using toasts, I have been thinking of using notification to show the denied requests. Adding this to notification bar helps in enabling more features like giving excemption for an app or even show allowed requests as well.

Wanted to get community inputs on this.

+1 to the added functionality available through the notification...

... as long as it does not get bogged down when apps create rapid and persistent notifications, in some cases up to many per second for several minutes.
 
  • Like
Reactions: sabei

Top Liked Posts

  • There are no posts matching your filters.
  • 19
    I have released a bug fix version 3.5.1 to playstore today. It majorly address few bugs from 3.5.0 along with support for cloning profiles.

    Quick changelog:

    Version: 3.5.1
    Feature: Cloning of profiles

    Bug
    * PrivateDNS changes on boot
    * Log target missing on few scenarios
    * Import/Export rules missing on A11
    * Donate version shortcuts not working.
    17
    Hello all,

    I'm planning release AFWall+ Final beta release this weekend.Thanks @IronTechmonkey for your extensive testing and help.
    Kindly raise issues on github in case if you want to fix any bugs from last beta.

    Just a headsup, I'm hopeful playstore submission goes through fine. Since SDK 30 does not allow app to query all applications by default, but give exemption for apps with needs. If that does not go well, I might have to pull off AFWall+ from playstore and keep it available only through F-droid.

    Regards.
    17
    Hello All,

    I have released 3.5.0 final version to playstore today. It may take few days (hopefully) to appear on playstore. Meanwhile you can grab it on github (https://github.com/ukanth/afwall/releases/tag/v3.5.0) or wait for f-droid builds.


    Thanks again everyone for your support. Appreciate it. I will continue invest little more time to fix long pending features

    I'm not sure how many people would be still interested in the local VPN based firewall.I know there are really good VPN based firewalls out there and the best one from M66B. But I would like to build for my own usage/way. Let me know if you will interested in using it ?
    7
    Tried all combinations. LOG, NFLOG, restarting log service (and it really happened), restarting whole AFWall+, new-style log view, old-style log view, clear logs, refresh logs. In paralel I'm watching "logcat|grep AFL" and I'm sending packet which are blocked (and they're logged in logcat). Nothing helped.
    Maybe it's time to reboot.

    Had similar issue.

    May/May not be a conflict with busybox from osmosis i had installed from magisk.

    what worked for me to resolve the issue
    -changed log target to NFLOG
    -in binaries option changed
    busybox to system
    iptables to builtin
    -turned log service off and then on
    -changed logging to new style
    -boot to recovery and clear cache

    After reboot to system logging started working...
    6
    After a reboot Internet didn't works also if Private DNS is on. But after sometime, maybe 30s after AFWall applied the rules it works then.

    Maybe some core/system rules are wrong for Private DNS? Which ones needs internet access?

    Between what is the right AFWall setting in Binaryfiles > DNS Proxy?

    Auto, DNS netd activate or disable?
    This issue is fixed and will be available in next version. Fix address both manual apply, boot with private DNS.

    For the second one, Always use "Auto"
  • 384
    Welcome to official support page for AFWall+

    Disclaimer - As Usual. I'll not take any responsible if something goes wrong when using AFWall+

    Introduction
    AFWall+ is an improved version of DroidWall(front-end application for the powerful iptables Linux firewall). It allows you to restrict which applications are permitted to access your data networks (2G/3G/4G/LTE and/or Wi-Fi and while in roaming).Since the original author of Droidwall
    discontinued the project, I decided to keep the app instead of Avast Firewall. I'll continue to add more features as I can.


    Features
    - Supports 5.x to 11.x
    - Import/Export Rules to external storage
    - Search Applications
    - Multiple Profiles with custom names
    - Tasker/Locale support
    - Select All/None/Invert/Clear applications with single click
    - Revamped Rules/Logs Viewer with copy/export to external storage
    - Ability to view the network interfaces
    - Highlight system applications with custom color
    - Notify on new installations
    - Ability to hide application icons( faster loading )
    - Use LockPattern for application protection.
    - Show/Hide application ID.
    - Roaming Control for 3G/Edge
    - VPN Control
    - LAN Control
    - Tether Control
    - IPV6 Control
    - Tor Control
    - Choose able languages
    - Choose able iptables/busybox binary
    - Supports MIPS/x86/ARM
    - DNS Hostname

    Changelog - See third Post
    Current Version - 3.5.1

    To get Unlocker without Google services - Please follow the instructions here

    AFWall+ BETA Program
    1) AFWall+ opt-in for beta program
    2) Install AFWall+ and If you have any issues, just send email from (Menu -> Firewall Rules - > Send error report)

    Source Code/Wiki/FAQ
    AFWall+ is an free & opensource application
    Github
    Log an issue
    Frequently Asked Questions
    Many Thanks to @CHEF-KOCH

    Translations
    Translations - Please help me with translations in your language.
    http://crowdin.net/project/afwall

    Thanks To/Credits
    - German translations by [email protected] & [email protected] & [email protected]
    - French translations by [email protected] & [email protected]
    - Russian translations by [email protected] & YaroslavKa78
    - Spanish translations by [email protected]
    - Dutch translations by [email protected]
    - Japanese translation by [email protected]
    - Ukrainian translation by [email protected]
    - Slovenian translation by bunga [email protected]
    - Chinese Simplified translation by [email protected]
    - Polish translations by tst,Piotr [email protected]
    - Swedish translations by [email protected]
    - Greek Translations by [email protected]
    - Portuguese translations by [email protected]
    - Chinese Traditional by [email protected]
    - Chinese Simplified by wuwufei,tianchaoren @ crowdin
    - Italian translations by [email protected]
    - Romanian tranlations by [email protected]
    - Czech translations by Syk3s

    Cheers,
    ukanth

    XDA:DevDB Information
    AFWall+ [ IPTables Firewall ], App for the Android General

    Contributors
    ukanth
    Source Code: https://github.com/ukanth/afwall


    Version Information
    Status:
    Stable
    Current Stable Version: 3.4.0
    Stable Release Date: 2020-02-09
    Current Beta Version: 3.5.0-BETA1
    Beta Release Date: 2020-09-05

    Created 2013-12-03
    Last Updated 2020-09-05
    70
    Version 3.0.1

    * Fix: Status toggle widget 1x1
    * Fix: Ability to hide ongoing notification (Stop firewall and restart to hide after disable it in preferences)
    * Fix: Firewall error notification on oreo and above
    * Security: Tile toggle checks for password
    * User reported crashes
    * Updated translations

    Previous version 3.0.0

    Features:
    * Better support for nougat/oreo and pie.
    * Firewall toggle tile
    * Adaptive Icons
    * Notification channels
    * Tor support

    Bugs:
    * General bug fixes and crash reports.
    * Language selection bug
    * Filter selection bug
    * Compatible with magisk 17.x
    * Better handling of background process
    * Drops support for 4.x devices
    * Update languages
    * Updated libraries

    Complete Changelog

    41
    Hello All,

    After careful analysis and testing, I decided not to rewrite the way rules are being applied due to lot of under hood changes required. Instead added few enhancements. Now applying rules from menu will show how many rules are getting applied with progress status. Also when adding/removing few rules , it will apply only those related rules instead of full apply.

    Also fixed couple of bugs and enhancements. You can get the full changelog from https://github.com/ukanth/afwall/blob/beta/Changelog.md

    This is BETA Version which is not released on playstore. I have been using this for past week and it's stable. But there might be bugs which I haven't encountered. Please test it and report it in case of any issues.

    Also I have been following XPrivacy thread on the decision by it's author. Just as FYI, I might fix it for my own usage when I update to nougat, I will share it here if anybody uses it here.

    BETA Link - https://www.dropbox.com/s/isvi413qyx6vb4d/AFWall+ 2.9.7-BETA-TESTER.apk?dl=0
    40
    Hello everyone,

    I have released 3.0.0 stable on playstore today. It's been a crazy month so far. After going through lot of dilemma of whether to support the existing afwall or write a new one from scratch, finally able to pull myself and release stable version of afwall with lots of bug fixes and new features along with pie support. Since I don't do full time Android development, it was hard to keep track of what's going on with sdk level changes.

    Thank you all for your support in AFWall+ development. Without your support it would simply not possible to pull through this.

    I will be out for couple of days ( taking off to spend time with my family ) and hopefully will be able to reply to questions once back.

    Thanks again and have a great day.
    35
    Hello everyone,

    I have released stable version of 3.1.0 to playstore and github. Its live on playstore. You can find the changelog along with md5/sha here

    https://github.com/ukanth/afwall/releases/tag/v3.1.0

    Thank you all for your continuous support in AFWall+ development.
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone