• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[5.0+][ROOT][3.5.2] AFWall+ IPTables Firewall [16 May 2021]

Search This thread

Ultramanoid

Senior Member
Apr 24, 2011
3,596
5,564
日本
I know it doesn't make any sense but I can't think of another reason.

Apart from Dolphin being caught in spyware activity more than once, note also that it is not a real browser, it uses Android's WebView as engine. Make sure WebView is blocked.

An additional suggestion would be to move on to a real, safe(r) browser. Firefox, Chromium, Bromite... Brave at least. And Flash support is not a feature at this point, it's a vulnerability.
 
 

Jasmin74

Senior Member
Sep 16, 2014
62
3
Tripoli
Apart from Dolphin being caught in spyware activity more than once, note also that it is not a real browser, it uses Android's WebView as engine. Make sure WebView is blocked.

An additional suggestion would be to move on to a real, safe(r) browser. Firefox, Chromium, Bromite... Brave at least. And Flash support is not a feature at this point, it's a vulnerability.
 

* It is blocked - since the allowed applications are only 2
* we have to use it as I told you for flash -
Now we will have to delete it since it s opening the websites smoothly .
 
Hi ukanth,
is there a way to hide the permanent notification from statusbar like in the versions before 3.0. My settings are exact the same as in the old version 2.9.9 but the notification is still present. In 2.9.9 the notification is gone.
Please see the attached screenshots. Even if the first checkbox is disabled the permanent notification won't dissappear. It would be nice to have the old behavior back. Can you please fix this in the next release.

Thanks and Regards Elveneleven
 

Attachments

  • Screenshot_20181129-084523.jpg
    Screenshot_20181129-084523.jpg
    38.2 KB · Views: 269
  • Screenshot_20181129-084822.png
    Screenshot_20181129-084822.png
    106.4 KB · Views: 273

samuells

Member
Jul 26, 2018
8
2
Hi ukanth,
is there a way to hide the permanent notification from statusbar like in the versions before 3.0. My settings are exact the same as in the old version 2.9.9 but the notification is still present. In 2.9.9 the notification is gone.
Please see the attached screenshots. Even if the first checkbox is disabled the permanent notification won't dissappear. It would be nice to have the old behavior back. Can you please fix this in the next release.

Thanks and Regards Elveneleven
check and uncheck, it will work. welcome.
 

freakerload

Senior Member
Mar 17, 2011
370
72
Hello in Android 7 and 8 this lines in a script for wifi are working.
settings put global captive_portal_mode 0
settings put global captive_portal_detection_enabled 0
settings put global captive_portal_server localhost

But in my older phone with Android 6.0.1 this is not working.
Wifi not tuns on.

What must i do?
 
Nov 16, 2018
16
1
I recently rooted my phone and installed Afwall+ firewall. At first, I did not allow any app internet access but I still can surf internet using chrome. Whatsapp still receiving messages.

After reinstalling firewall a few times, managed to get it to work. Had to switch between System IPtables and builtin IPtables in order to get it to activate. So went back to sleep after activating firewall successfully. Most times, switching IPTables returned error messages of unable to apply IPTables rules.

But next morning, I discovered that internet access was allowed by the firewall. No filtering at all, although it indicated firewall was enabled.

Tried uninstalling and reinstalling firewall but to no avail. A few hours later, it finally worked to block internet access as configured. But a few hours later, internet access was not filtered at all.

Tried to re-apply the IPTables rules again but received error message that IPtables could not be updated. So tried many amendments to the firewall settings

- Enabled only IPv6 Chains cpntrol. Sometimes it works and most times don't work.
- Switched between System / Builtin IPTables. Works a few times and later internet filtering was disabled.

So robooted phone and reenabled firewall. Then the IPv4 inbound cannot be enabled (option was greyed out) but IPv4's other 2 options could be changed. Asa such, was not able to access internet at all.

So instead disabled all IPv4 access and enabled only IPv6 chains control. But internet access was not filtered. Most of the times, there are errors applying the IPTables Rules (when it comes to item 135).


This firewall gives us a false sense of security as it will suddenly allow internet access to all apps without any indication, while indicating that firewall is running well.

---------- Post added at 01:50 PM ---------- Previous post was at 01:47 PM ----------

The firewall stealthily disabled the firewall filtering while still indicating firewall enabled.

Seems like Firewall based on IPTables flawed. Sometimes unable to change the rules in the IPTables. Could it be the OS auto switch IPTables between builtin IPTables and System IPTables when the system apps could not access internet?

When I disabled all IPv4 access and used IPv6 access, the firewall stealthily deactivated after some time and I could not apply the IPTables rules. Sometimes disabling IPv6 support works and sometimes only enabling IPv6 support works and sometimes only enabling IPv6 chains only works. Very weird behaviours and unreliable.

Decided to switch back to VPN-based firewall instead. Tried Avast firewall but firewall could not be activated as hardware not supported as indicated by error message.

No root firewall reliable in the market.
 
Last edited:

hypern0va

Senior Member
Sep 18, 2014
365
136
Italy
In the logs I have 39720 blocked connections performed by the Linux Kernel even if I gave it the permission to access any kind of network (I'm in blacklist mode).

Is it normal?
 

Homeboy76

Senior Member
Aug 24, 2012
2,661
1,325
I recently rooted my phone and installed Afwall+ firewall. At first, I did not allow any app internet access but I still can surf internet using chrome. Whatsapp still receiving messages.

After reinstalling firewall a few times, managed to get it to work. Had to switch between System IPtables and builtin IPtables in order to get it to activate. So went back to sleep after activating firewall successfully. Most times, switching IPTables returned error messages of unable to apply IPTables rules.

But next morning, I discovered that internet access was allowed by the firewall. No filtering at all, although it indicated firewall was enabled.

Tried uninstalling and reinstalling firewall but to no avail. A few hours later, it finally worked to block internet access as configured. But a few hours later, internet access was not filtered at all.

Tried to re-apply the IPTables rules again but received error message that IPtables could not be updated. So tried many amendments to the firewall settings

- Enabled only IPv6 Chains cpntrol. Sometimes it works and most times don't work.
- Switched between System / Builtin IPTables. Works a few times and later internet filtering was disabled.

So robooted phone and reenabled firewall. Then the IPv4 inbound cannot be enabled (option was greyed out) but IPv4's other 2 options could be changed. Asa such, was not able to access internet at all.

So instead disabled all IPv4 access and enabled only IPv6 chains control. But internet access was not filtered. Most of the times, there are errors applying the IPTables Rules (when it comes to item 135).


This firewall gives us a false sense of security as it will suddenly allow internet access to all apps without any indication, while indicating that firewall is running well.

---------- Post added at 01:50 PM ---------- Previous post was at 01:47 PM ----------

The firewall stealthily disabled the firewall filtering while still indicating firewall enabled.

Seems like Firewall based on IPTables flawed. Sometimes unable to change the rules in the IPTables. Could it be the OS auto switch IPTables between builtin IPTables and System IPTables when the system apps could not access internet?

When I disabled all IPv4 access and used IPv6 access, the firewall stealthily deactivated after some time and I could not apply the IPTables rules. Sometimes disabling IPv6 support works and sometimes only enabling IPv6 support works and sometimes only enabling IPv6 chains only works. Very weird behaviours and unreliable.

Decided to switch back to VPN-based firewall instead. Tried Avast firewall but firewall could not be activated as hardware not supported as indicated by error message.

No root firewall reliable in the market.
I wonder, if providing OS and model phone you installed it on would help the OP solve this problem.
 

DoR3M3

Senior Member
Feb 17, 2018
1,255
378
Portwenn
VPN on the device, or VPN through a router, and phone going over wifi through router on vpn, any differences here?

By the way, for the startup /path does it matter which to choose? Please see the screen shot...

ukanth mentioned this commit before;

https://github.com/ukanth/afwall/pull/830/files

So I'm assuming it means that /sbin/.core/img/.core/service.d is a /path to use? I used this /path and I see afwallstart in it...
 

Attachments

  • path.jpg
    path.jpg
    29.7 KB · Views: 702
Last edited:

eriol1

Senior Member
Feb 16, 2015
177
119
VPN on the device, or VPN through a router, and phone going over wifi through router on vpn, any differences here?

By the way, for the startup /path does it matter which to choose? Please see the screen shot...

ukanth mentioned this commit before;

https://github.com/ukanth/afwall/pull/830/files

So I'm assuming it means that /sbin/.core/img/.core/service.d is a /path to use? I used this /path and I see afwallstart in it...

If you have magisk, use the /sbin/.core/img/.core/service.d path.
(If you don't have magisk the script won't run at startup from there)
If you have init.d support use one of the others.

If you've got neither, you'll have to figure out some other way to run the script at startup.
 

hypern0va

Senior Member
Sep 18, 2014
365
136
Italy
Last edited:

totalz

Senior Member
Jan 28, 2011
176
7
Testing 3.0.1, new user here.

There's a bug, if the custom script has error, even for something like No chain/target match.
* setting is Block all selected, but nothing is selected
* firewall status is "disabled"
But I cannot access the internet at all!! I have to remove the custom script, enable the firewall then disable the firewall to access the internet!
 
Last edited:

mocarela

Senior Member
Jul 16, 2012
57
13
I have tried a couple of times to switch from droidwall, but every time afwall has shown itself as unreliable.
The last time (on 7.1.2) the issue was that iptables didn't resolve hostnames under ipv4 - it did later under ipv6. I tried to use the trick to skip ipv4 config in the scripts and use common iptables binary under ipv6. It seemed that it did the trick, but after a while network traffic was completely blocked and I had no choice other than going back to droidwall.

Any hint to solve this?
 

Madbullben

Senior Member
Feb 23, 2013
94
13
Hello, Ive got a potentichal problem not sure though.

I have very few apps allowed to be let through the firewall but when I us network connections app it still finds quite a few apps that have been let through. I ping the address with a termain emulator to check and its being let through and theres a bunch of connections to facebook, google, amazon etc are also being seen as being let through. Is this the program I'm using thats giving false info or is this actually true?

How do you guys find out if an ip address is being let through?

Also a different problem i have is that if I block an IPV6 using a script I have to remove all the script apply everything and then copy the script back in and apply it otherwise itll give an error. this only happens when I reboot.

Thanks Ben
 
Last edited:
check and uncheck, it will work. welcome.

Hi, check uncheck doesn't work. The notification won't go away. Even a complete data wipe, uninstall, reinstall. Doesn't work. I can't get the notification go away. Check uncheck let the afwall icon dissappear, but not the notification. It's like I've shown in the Screenshots in my previous post. If this does work on other Android versions it is then a bug on Nougat. I'm running afwall on a Galaxy S3 GT-I9300 with Android 7.1.2 Ressurection Remix 5.8.5 Build20171217 Final Rom.

Sent from my [device_name] using XDA-Developers Legacy app
 

samuells

Member
Jul 26, 2018
8
2
Hi, check uncheck doesn't work. The notification won't go away. Even a complete data wipe, uninstall, reinstall. Doesn't work. I can't get the notification go away. Check uncheck let the afwall icon dissappear, but not the notification. It's like I've shown in the Screenshots in my previous post. If this does work on other Android versions it is then a bug on Nougat. I'm running afwall on a Galaxy S3 GT-I9300 with Android 7.1.2 Ressurection Remix 5.8.5 Build20171217 Final Rom.
I am sorry, i thought that you would just hide the icon on statusbar. I am also using 7.1.2 but lineage. There is a setting on lineage, that set up the notification in low priority and hide entirely it. IDK about resurrection remix.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 7
    Hello. I have a question, i'm using LSPosed with AFWall right now, my question is, how to use AFWall with LSPosed, what to check inside LSPosed module app? Can someone enlighten me? Thank you.
    I did not add support for LSPosed. Also going forward, xposed module will be independent and not to be part of AFWall+ itself.
    4
    Is AFWall+ breaks SafetyNet?
    AFWall+ itself shouldn't. But you need root to use it, and rooting generally breaks "safetynet", as some consider a rooted device to be unsafe 🙄
    1
    Despite being blocked by AFWall+, occasionally Google Play still used to notify me of app updates and even worse I could access Play Store, again despite Play Services & Store being blocked by AFWall+.

    So in LOS PrivacyGuard I disabled Modify Systems Settings for both packages. So far, no more successful network access. I do see from time to time Store or Services trying to access the internet. AFWall+ logging notifies me of this. Oddly, whenever Google Play Services/Store attempts to access the network I also see AFWall+ reapplying rules.
    1
    I would expect that those modules have something to do with issues with tethering such as an unknown app /service being blocked therefore requiring firewall be disabled in order to tether, eg the modules might be required to help tethering function at all. I could be wrong and there are more knowledgeable people here that might be able to speak to this but I don't think a hack to circumvent service provider limits would go over well at Playstore. No moral judgement, I just think it might not be worth the risk for an app to allow that. Let's see what others and the developer have to say.
    I totally understand what you are saying.

    I would think it shouldn't be much of a risk because the NetShare app allows tether limit circumvention and it is still in the playstore with 1M+ downloads.
    2
    Afwall Xposed module, what is it exactly for? If I use LSPosed, to what apps should I appy this module?
    @ukanth statement here might be of useto you. No timeline, but...
  • 385
    Welcome to official support page for AFWall+

    Disclaimer - As Usual. I'll not take any responsible if something goes wrong when using AFWall+

    Introduction
    AFWall+ is an improved version of DroidWall(front-end application for the powerful iptables Linux firewall). It allows you to restrict which applications are permitted to access your data networks (2G/3G/4G/LTE and/or Wi-Fi and while in roaming).Since the original author of Droidwall
    discontinued the project, I decided to keep the app instead of Avast Firewall. I'll continue to add more features as I can.


    Features
    - Supports 5.x to 11.x
    - Import/Export Rules to external storage
    - Search Applications
    - Multiple Profiles with custom names
    - Tasker/Locale support
    - Select All/None/Invert/Clear applications with single click
    - Revamped Rules/Logs Viewer with copy/export to external storage
    - Ability to view the network interfaces
    - Highlight system applications with custom color
    - Notify on new installations
    - Ability to hide application icons( faster loading )
    - Use LockPattern for application protection.
    - Show/Hide application ID.
    - Roaming Control for 3G/Edge
    - VPN Control
    - LAN Control
    - Tether Control
    - IPV6 Control
    - Tor Control
    - Choose able languages
    - Choose able iptables/busybox binary
    - Supports MIPS/x86/ARM
    - DNS Hostname

    Changelog - See third Post
    Current Version - 3.5.2

    To get Unlocker without Google services - Please follow the instructions here

    AFWall+ BETA Program
    1) AFWall+ opt-in for beta program
    2) Install AFWall+ and If you have any issues, just send email from (Menu -> Firewall Rules - > Send error report)

    Source Code/Wiki/FAQ
    AFWall+ is an free & opensource application
    Github
    Log an issue
    Frequently Asked Questions
    Many Thanks to @CHEF-KOCH

    Translations
    Translations - Please help me with translations in your language.
    http://crowdin.net/project/afwall

    Thanks To/Credits
    - German translations by [email protected] & [email protected] & [email protected]
    - French translations by [email protected] & [email protected]
    - Russian translations by [email protected] & YaroslavKa78
    - Spanish translations by [email protected]
    - Dutch translations by [email protected]
    - Japanese translation by [email protected]
    - Ukrainian translation by [email protected]
    - Slovenian translation by bunga [email protected]
    - Chinese Simplified translation by [email protected]
    - Polish translations by tst,Piotr [email protected]
    - Swedish translations by [email protected]
    - Greek Translations by [email protected]
    - Portuguese translations by [email protected]
    - Chinese Traditional by [email protected]
    - Chinese Simplified by wuwufei,tianchaoren @ crowdin
    - Italian translations by [email protected]
    - Romanian tranlations by [email protected]
    - Czech translations by Syk3s

    Cheers,
    ukanth

    XDA:DevDB Information
    AFWall+ [ IPTables Firewall ], App for the Android General

    Contributors
    ukanth
    Source Code: https://github.com/ukanth/afwall


    Version Information
    Status:
    Stable
    Current Stable Version: 3.4.0
    Stable Release Date: 2020-02-09
    Current Beta Version: 3.5.0-BETA1
    Beta Release Date: 2020-09-05

    Created 2013-12-03
    Last Updated 2020-09-05
    70
    Version 3.0.1

    * Fix: Status toggle widget 1x1
    * Fix: Ability to hide ongoing notification (Stop firewall and restart to hide after disable it in preferences)
    * Fix: Firewall error notification on oreo and above
    * Security: Tile toggle checks for password
    * User reported crashes
    * Updated translations

    Previous version 3.0.0

    Features:
    * Better support for nougat/oreo and pie.
    * Firewall toggle tile
    * Adaptive Icons
    * Notification channels
    * Tor support

    Bugs:
    * General bug fixes and crash reports.
    * Language selection bug
    * Filter selection bug
    * Compatible with magisk 17.x
    * Better handling of background process
    * Drops support for 4.x devices
    * Update languages
    * Updated libraries

    Complete Changelog

    41
    Hello All,

    After careful analysis and testing, I decided not to rewrite the way rules are being applied due to lot of under hood changes required. Instead added few enhancements. Now applying rules from menu will show how many rules are getting applied with progress status. Also when adding/removing few rules , it will apply only those related rules instead of full apply.

    Also fixed couple of bugs and enhancements. You can get the full changelog from https://github.com/ukanth/afwall/blob/beta/Changelog.md

    This is BETA Version which is not released on playstore. I have been using this for past week and it's stable. But there might be bugs which I haven't encountered. Please test it and report it in case of any issues.

    Also I have been following XPrivacy thread on the decision by it's author. Just as FYI, I might fix it for my own usage when I update to nougat, I will share it here if anybody uses it here.

    BETA Link - https://www.dropbox.com/s/isvi413qyx6vb4d/AFWall+ 2.9.7-BETA-TESTER.apk?dl=0
    40
    Hello everyone,

    I have released 3.0.0 stable on playstore today. It's been a crazy month so far. After going through lot of dilemma of whether to support the existing afwall or write a new one from scratch, finally able to pull myself and release stable version of afwall with lots of bug fixes and new features along with pie support. Since I don't do full time Android development, it was hard to keep track of what's going on with sdk level changes.

    Thank you all for your support in AFWall+ development. Without your support it would simply not possible to pull through this.

    I will be out for couple of days ( taking off to spend time with my family ) and hopefully will be able to reply to questions once back.

    Thanks again and have a great day.
    35
    Hello everyone,

    I have released stable version of 3.1.0 to playstore and github. Its live on playstore. You can find the changelog along with md5/sha here

    https://github.com/ukanth/afwall/releases/tag/v3.1.0

    Thank you all for your continuous support in AFWall+ development.