[5.0+][ROOT][3.5.2] AFWall+ IPTables Firewall [16 May 2021]

Search This thread

EEngineer

Senior Member
Oct 20, 2011
878
150
USA
Just block everything and allow only what you need and trust.
That's dangerous advice. When it comes to Android system, LineageOS, and Google stuff, how do you define "everything"? If you block everything some phones might brick on boot or just stop working.

Meanwhile the AFWall+ FAQ referenced above recommends leaving almost all system & google apps unblocked or risk restricted operation.
 

temporarium

Senior Member
May 16, 2012
842
447
That's dangerous advice. When it comes to Android system, LineageOS, and Google stuff, how do you define "everything"? If you block everything some phones might brick on boot or just stop working.

Meanwhile the AFWall+ FAQ referenced above recommends leaving almost all system & google apps unblocked or risk restricted operation.
Imagine you or your phone in airplane mode. Nothing connects because the network is down. All the apps still work.
Same thing happens when you block internet access selectively. The apps will still function. Nothing to worry about.
What should be allowed? Well, what really needs to access the internet? Web browser. Email app. RSS news reader.
Does the alarm clock need to access the internet? No. Does the ROM need to access the internet. No. There are things like automatic time adjustments and checking for updates, but the system will/should still work without being able to perform those.
Anyway, that's my approach. You're free to follow your own path 😉
 

brackenhill_mob

Senior Member
Aug 3, 2005
241
44
Berkhamsted
Xiaomi Poco X3 NFC
That's dangerous advice. When it comes to Android system, LineageOS, and Google stuff, how do you define "everything"? If you block everything some phones might brick on boot or just stop working.

Meanwhile the AFWall+ FAQ referenced above recommends leaving almost all system & google apps unblocked or risk restricted operation.
That's where the logs come in useful. Turn everything off and then check what is trying to access the internet. If you think it should, then it on. Simples ;)
 
  • Like
Reactions: chrisrevoltes

eriol1

Senior Member
Feb 16, 2015
177
119
If any app can use the browser or download-manager as a proxy to connect to the internet, doesn't that make Afwall completely useless?

I can block everything but have browser and/or download-manager whitelisted. That means everything can call home anyway?
Just pointing out that if an app is shady enough to use such methods to call home, do you really want it installed?

Anyway if you're referring to:
Chrome custom tabs:
AFAIK using Chrome custom tabs to access the web must happen in the foreground so I don't think any calling home could happen without you noticing. I could be wrong, and there's also the speculative work feature that could possibly be abused to access the web secretly.
If you're worried, simply block chrome and use an alternative browser for your own browsing.
Webview :
I thought webview content always runs under the requesting app uid, so should still get blocked by afwall.
Can someone confirm?
Do you have an example of an app that bypasses afwall using webview?
Download manager
Technically it's a one way street, download only, no upload. But a request still goes out in order to get the download, so could be abused in order to call home.
I'm not sure if there's a good way to block this (apart from blocking download manager itself). This is probably what I'd use if I was writing a shady call home app.

If there are any other ways you thought of that could bypass afwall I'd love to hear about them.

So is afwall useless?
since most apps don't generally seem to be using these methods to call home, I'd say afwall isn't useless.
Also, in the case of an app actually using a method like this, (and assuming you're allowing internet access to chrome, download manager and webview), you still have the option of using custom scripts in afwall to block the offending app.
 
  • Like
Reactions: Utini

Utini

Senior Member
Just pointing out that if an app is shady enough to use such methods to call home, do you really want it installed?

Anyway if you're referring to:
Chrome custom tabs:
AFAIK using Chrome custom tabs to access the web must happen in the foreground so I don't think any calling home could happen without you noticing. I could be wrong, and there's also the speculative work feature that could possibly be abused to access the web secretly.
If you're worried, simply block chrome and use an alternative browser for your own browsing.
Webview :
I thought webview content always runs under the requesting app uid, so should still get blocked by afwall.
Can someone confirm?
Do you have an example of an app that bypasses afwall using webview?
Download manager
Technically it's a one way street, download only, no upload. But a request still goes out in order to get the download, so could be abused in order to call home.
I'm not sure if there's a good way to block this (apart from blocking download manager itself). This is probably what I'd use if I was writing a shady call home app.

If there are any other ways you thought of that could bypass afwall I'd love to hear about them.

So is afwall useless?
since most apps don't generally seem to be using these methods to call home, I'd say afwall isn't useless.
Also, in the case of an app actually using a method like this, (and assuming you're allowing internet access to chrome, download manager and webview), you still have the option of using custom scripts in afwall to block the offending app.

Thank for you detailed reply.

It makes sense in thr way you describe it. But "malicious" apps could try to take advantage of any installed app to use it as proxy.

Download manager seems to be the most obvious though. You mentioned custom scripts. Do you have examples?

What would be very handy is a pop-up notification asking "download manager wants to download something now. Allow once?"
 

eriol1

Senior Member
Feb 16, 2015
177
119
Thank for you detailed reply.

It makes sense in thr way you describe it. But "malicious" apps could try to take advantage of any installed app to use it as proxy.

Download manager seems to be the most obvious though. You mentioned custom scripts. Do you have examples?

What would be very handy is a pop-up notification asking "download manager wants to download something now. Allow once?"
There's not much you can do about malicious apps taking advantage of apps you do trust, except for not installing the malicious app to begin with.

Custom scripts :
I'd tell you to search the thread but that functionality still isn't working properly...
Use this to learn more about custom scripts :
https://github.com/ukanth/afwall/wiki/CustomScripts

A download manager pop up is an interesting idea. Up to Google to implement something like that though
 
  • Like
Reactions: EEngineer and Utini

IronTechmonkey

Recognized Contributor
Feb 12, 2013
7,796
11,137
There have been several reports at AFwall+'s github about empty logs. FWIW it is likely that some of those issues fall under one umbrella which includes two sub issues; 1) any FC or restart of the app, and 2) failure of logging to start when the app does. In my case the FC was caused by many consecutive logging event toasts, and when I disabled toasts the FC is no longer occurred. I encourage people who have reported empty logs to check out my two bug reports at Afwall+’s github for comparison…but this is all documented at github and I’m here for something more fun... in next post.
 

IronTechmonkey

Recognized Contributor
Feb 12, 2013
7,796
11,137
Although I can avoid FC’s by disabling toasts, after reboots I often forget to enable logging so I found a geeky fun way to do it with Tasker and the Android input tap and swipe commands.

DISCLAIMER: this simulates touchscreen input and requires that the device be in a particular state when it is invoked and that the display not be touched while it is running. If that does not already make you nervous then you definitely should not be trying this. ;)

- In developer options enable show touches and show pointer position.
- Go through the process of opening disabling/enabling Afwall logging, capturing a screenshot at each screen tap – while you are tapping the appropriate spot. The screenshots will include the "show touch" indicator (pale dot) for your tap location and the coordinates of that location.
- In developer options disable show touches and show pointer position.
- Review the images and for each step, if the show touch indicator is in the proper place then note the coordinates.
- When stitched all together in Tasker, it walks through something like this (with dummy coordinates instead of the actual ones):

{Tasker Task}
Open Afwall
Wait 1 sec
Menu (input tap x1y1)
Wait 500 ms
Preferences (input tap x2y2)
Wait 500 ms
Log (input tap x3y3)
Wait 500 ms
Disable log service (input tap x4y4)
Wait 500 ms
Enable log service (input tap x4y4 – same as previous step)
Wait 500 ms
Back button
Wait 500 ms
Back button
Wait 500 ms
Back button

The wait commands give the UI time to stop moving before the next command and in most cases could be made shorter. As silly as this thing may seem, after a reboot it enables logging with the tap of one home screen shortcut.
 
  • Like
Reactions: Hiroo Onoda

Utini

Senior Member
Thanks again @eriol1 !!

And while I am at it. Do the permissions I set for core/system apps look fine to you? See attachments.
 

Attachments

  • Screenshot_20210208-045626.png
    Screenshot_20210208-045626.png
    284.3 KB · Views: 79
  • Screenshot_20210208-045636.png
    Screenshot_20210208-045636.png
    389.3 KB · Views: 76
  • Screenshot_20210208-045646.png
    Screenshot_20210208-045646.png
    463.4 KB · Views: 60
  • Screenshot_20210208-045659.png
    Screenshot_20210208-045659.png
    446.2 KB · Views: 58
  • Like
Reactions: EEngineer

eriol1

Senior Member
Feb 16, 2015
177
119
Thanks again @eriol1 !!

And while I am at it. Do the permissions I set for core/system apps look fine to you? See attachments.

I actually have most of those blocked, but different device, os and setup would require different apps enabled.

Just block everything and allow only what you need and trust.
This is the best advice you could get.
It's what I did when I started out. Basically block everything, then start using the phone and unblock apps as you go along and realize you absolutely can't have them blocked. It takes a while and isn't very fun, but I think it's the best way to figure out what actually needs internet and what doesn't.
 
  • Like
Reactions: IronTechmonkey

Utini

Senior Member
I actually have most of those blocked, but different device, os and setup would require different apps enabled.


This is the best advice you could get.
It's what I did when I started out. Basically block everything, then start using the phone and unblock apps as you go along and realize you absolutely can't have them blocked. It takes a while and isn't very fun, but I think it's the best way to figure out what actually needs internet and what doesn't.


That bis basically what I did :eek: I found that everyelse that I block would break something.

Maybe care to share your "allow list" so I can compare and test around? :)
 

eriol1

Senior Member
Feb 16, 2015
177
119
I have these blocked, and practically all other system apps as well.
I can see lots of stuff getting blocked in the logs, but everything works fine
 

Attachments

  • Screenshot_20210208-230733_AFWall+.png
    Screenshot_20210208-230733_AFWall+.png
    49.1 KB · Views: 81

iunlock

Senior Member
May 22, 2010
2,005
975
Galaxy
Hello fellow AFWall+ users, I'm having VPN connectivity issues with AFWall+ enabled with Android 11. I tried everything. I've since rolled back to Android 10 and I'm having the same issues. It's driving me crazy.

With AFWall+ Enabled and with VPN connected, browsers work, but apps like Playstore does not work.

It's nothing that I have blocked either in AFWall+ I made sure of it.. in fact, I tested it by unchecking everything but one random non related thing to anything and the problem persists.

I was using the v3.5.0 beta and thought it had something to do with it being beta, but I've also tested on v3.4.0 and it's having the same issues.

Q: In Preferences-> Binaries ->

Iptables binary: Should this be set to Auto or choose one System or Built-in?

BusyBox binary: Should this be selected on Built-In or System?

Thanks for your help.
 
Last edited:

temporarium

Senior Member
May 16, 2012
842
447
Hello fellow AFWall+ users, I'm having VPN connectivity issues with AFWall+ enabled with Android 11. I tried everything. I've since rolled back to Android 10 and I'm having the same issues. It's driving me crazy.

With AFWall+ Enabled and with VPN connected, browsers work, but apps like Playstore does not work.

It's nothing that I have blocked either in AFWall+ I made sure of it.. in fact, I tested it by unchecking everything but one random non related thing to anything and the problem persists.

I was using the v3.5.0 beta and thought it had something to do with it being beta, but I've also tested on v3.4.0 and it's having the same issues.

Q: In Preferences-> Binaries ->

Iptables binary: Should this be set to Auto or choose one System or Built-in?

BusyBox binary: Should this be selected on Built-In or System?

Thanks for your help.
Try the whitelist method, only allowing what you need.

Also, it may be Google is sensing that you're using very different IPs to connect and is blocking your VPN. Try Aurora Store.
 
  • Like
Reactions: IronTechmonkey

iunlock

Senior Member
May 22, 2010
2,005
975
Galaxy
Try the whitelist method, only allowing what you need.

Also, it may be Google is sensing that you're using very different IPs to connect and is blocking your VPN. Try Aurora Store.

Thanks for your response. Regarding the binaries and any other specifics settings that's recommended to use:

Q: In Preferences-> Binaries ->

Iptables binary: Should this be set to Auto or choose one System or Built-in?

BusyBox binary: Should this be selected on Built-In or System?

Thanks for your help.
 

n0j0e

Senior Member
  • hi, is the AFWall Xposed extension still functional for A11? Do we still need it for more security. I'm switched to the LSPosed Xposed variante and AFWall (still) didn't support the new app scope feature like GravityBox.
    Which apps needs to be enabled in LSPosed for the AFWall module?
     
    Last edited:

    SilentDevGuy

    Senior Member
  • Feb 10, 2021
    71
    21
    That's dangerous advice. When it comes to Android system, LineageOS, and Google stuff, how do you define "everything"? If you block everything some phones might brick on boot or just stop working.

    Meanwhile the AFWall+ FAQ referenced above recommends leaving almost all system & google apps unblocked or risk restricted operation.
    Blocking stuff in afwall+ will never cause a brick on boot or your phone to stop working, thats ludicrous. Iptables is reset on boot.
     

    Top Liked Posts

    • There are no posts matching your filters.
    • 3
      What just happened ukanth?
      Tried to upgrade from v3.5.2 to v3.5.2.1 from F-Droid.
      This completely f... up AFWall, lost config and rules, app crashes all the time.
      So I decided to delete cache, storage, remove device admin and unistall the app.
      Reboot the OP8P (on crDroid v7.6 A11) and freshly installed v3.5.2, set rules & config manually.
      And now it's blazingly fast!!! (y) Which is good for sure! Applying ~180 rules takes less then a second now. Took ~30s before with frequent app crashes. And all the errors I've described above are gone!

      Only thing I need now is init.d or something to enable pre-boot protection. As I'm using root with Magisk v23, any ideas how to get pre-boot / startup protection activated?

      And still cannot update to v3.5.2.1... No Play store installed.
      Afaik v 3.5.2 & 3.5.1 are not available on f-droid, the latest there is v 3.5.2.1 & before it is v 3.5.0.
      For using magisk you need to choose "startup directory path for script" & tick "fix startup data leak" in preferences>experimental
      2
      Thanks for your explanation of "Clat"!
      Just a last guess: How is your handling of IPv4 and IPv6 Chains?
      I can't use IPv6, so I didn't enable it.

      This is the setting of my Moto G Play phone and Samsung Galaxy Tab S2, both LOS 17.1:

      View attachment 5340641
      I have it active. Adjusting the setting what I see on your screenshot does not help as well though. It seems either my XZ1 Compact is in some way different - or my Wireguard VPN makes a difference ;-)

      Well, I still hope from some ideas from @ukanth - either here or on his github site... but thanks for trying to help!

      Edit: I found one difference between our settings though: If I set the "Input chain" setting to "blocked", Wireguard (and thus, anything else) does not get any web access on 3.4.0 as well. Might be logical since AFAIK Wireguard acts as a local "router interface". So this is a clear difference between your devices and mine.

      Maybe there is some change between 3.4.0 and 3.5.x that causes this chain setting to break...?
      2
      After version 3.4, NO version works cleanly with Xiaomi Mit9T - Rooted firmware.

      Problem:

      No VOLTE, HD Voice or Wifi Calling. I restarted the system but after few minutes VOLTE icon disappears and voice quality is much worse than before.
      I think the 3.5 -3.5.2 versions now block some port that is responsible for this.
      My knowledge is unfortunately too small for this. Can someone tell me what I need to fix so I can use the current version again?
      Just to check the (by now) obvious: do you happen to have changed the "DNS proxy" setting to "Disable DNS via netd"? If so, you suffer from the same problem that keeps me on 3.4.0...
      2
      Just to check the (by now) obvious: do you happen to have changed the "DNS proxy" setting to "Disable DNS via netd"? If so, you suffer from the same problem that keeps me on 3.4.0...
      IIRC: If you disable DNS via netd you must allow [0](Root) - Apps wirh root permissions.
      2
      SEVERE SECURITY WARNING:
      AFWALL default functionality might NOT (and probably for many will NOT) secure your Android phone.

      EXPECTED BEHAVIOR:
      A secure firewall must block incoming connections that are not initiated by the user.

      ACTUAL BEHAVIOR:
      a) using the latest version 3.5.2 and I discovered erratic behavior by the app when trying to run a custom script to set incoming packet policy to DROP and accept only related and established incoming connections. AFWall errored out when trying to set the rules.

      b) depending on your ROM you might have INPUT chain rules that need to be vetted, which relies on custom scripting errors out. For example, a Samsung stock Rom on a 2020 device has "input_dos" chain rule within INPUT chain that explicitly allows ctstate "NEW" packets through. Must not happen in a secure firewall that only wants to accept established and related state incoming packets.

      WORKAROUND:
      What works for the time being as a workaround is:

      a) set up AFWall focusing on app permissions which should cover the OUTPUT part of the firewall.

      b) change the INPUT chain rules manually via terminal to drop incoming packets except for established/related connection state packets and remove rules that bypass this restriction.

      ------
      This tight INPUT chain has nearly doubled my battery life (4000 mAh Li-Po from 10hrs to 20 hrs).
      AFAIK, AFWall never claimed to block any incoming connections. The main purpose is to block unwanted outgoing connections.
      Android itself maybe blocks some incoming connections? but android probably has a very different idea of what an unwanted connection is 😬

      Nevertheless, thanks for the important info and nice effect on the battery (y)
    • 384
      Welcome to official support page for AFWall+

      Disclaimer - As Usual. I'll not take any responsible if something goes wrong when using AFWall+

      Introduction
      AFWall+ is an improved version of DroidWall(front-end application for the powerful iptables Linux firewall). It allows you to restrict which applications are permitted to access your data networks (2G/3G/4G/LTE and/or Wi-Fi and while in roaming).Since the original author of Droidwall
      discontinued the project, I decided to keep the app instead of Avast Firewall. I'll continue to add more features as I can.


      Features
      - Supports 5.x to 11.x
      - Import/Export Rules to external storage
      - Search Applications
      - Multiple Profiles with custom names
      - Tasker/Locale support
      - Select All/None/Invert/Clear applications with single click
      - Revamped Rules/Logs Viewer with copy/export to external storage
      - Ability to view the network interfaces
      - Highlight system applications with custom color
      - Notify on new installations
      - Ability to hide application icons( faster loading )
      - Use LockPattern for application protection.
      - Show/Hide application ID.
      - Roaming Control for 3G/Edge
      - VPN Control
      - LAN Control
      - Tether Control
      - IPV6 Control
      - Tor Control
      - Choose able languages
      - Choose able iptables/busybox binary
      - Supports MIPS/x86/ARM
      - DNS Hostname

      Changelog - See third Post
      Current Version - 3.5.2

      To get Unlocker without Google services - Please follow the instructions here

      AFWall+ BETA Program
      1) AFWall+ opt-in for beta program
      2) Install AFWall+ and If you have any issues, just send email from (Menu -> Firewall Rules - > Send error report)

      Source Code/Wiki/FAQ
      AFWall+ is an free & opensource application
      Github
      Log an issue
      Frequently Asked Questions
      Many Thanks to @CHEF-KOCH

      Translations
      Translations - Please help me with translations in your language.
      http://crowdin.net/project/afwall

      Thanks To/Credits
      - German translations by [email protected] & [email protected] & Gronkd[email protected]
      - French translations by [email protected] & [email protected]
      - Russian translations by [email protected] & YaroslavKa78
      - Spanish translations by [email protected]
      - Dutch translations by [email protected]
      - Japanese translation by [email protected]
      - Ukrainian translation by [email protected]
      - Slovenian translation by bunga [email protected]
      - Chinese Simplified translation by [email protected]
      - Polish translations by tst,Piotr [email protected]
      - Swedish translations by [email protected]
      - Greek Translations by [email protected]
      - Portuguese translations by [email protected]
      - Chinese Traditional by [email protected]
      - Chinese Simplified by wuwufei,tianchaoren @ crowdin
      - Italian translations by [email protected]
      - Romanian tranlations by [email protected]
      - Czech translations by Syk3s

      Cheers,
      ukanth

      XDA:DevDB Information
      AFWall+ [ IPTables Firewall ], App for the Android General

      Contributors
      ukanth
      Source Code: https://github.com/ukanth/afwall


      Version Information
      Status:
      Stable
      Current Stable Version: 3.4.0
      Stable Release Date: 2020-02-09
      Current Beta Version: 3.5.0-BETA1
      Beta Release Date: 2020-09-05

      Created 2013-12-03
      Last Updated 2020-09-05
      70
      Version 3.0.1

      * Fix: Status toggle widget 1x1
      * Fix: Ability to hide ongoing notification (Stop firewall and restart to hide after disable it in preferences)
      * Fix: Firewall error notification on oreo and above
      * Security: Tile toggle checks for password
      * User reported crashes
      * Updated translations

      Previous version 3.0.0

      Features:
      * Better support for nougat/oreo and pie.
      * Firewall toggle tile
      * Adaptive Icons
      * Notification channels
      * Tor support

      Bugs:
      * General bug fixes and crash reports.
      * Language selection bug
      * Filter selection bug
      * Compatible with magisk 17.x
      * Better handling of background process
      * Drops support for 4.x devices
      * Update languages
      * Updated libraries

      Complete Changelog

      41
      Hello All,

      After careful analysis and testing, I decided not to rewrite the way rules are being applied due to lot of under hood changes required. Instead added few enhancements. Now applying rules from menu will show how many rules are getting applied with progress status. Also when adding/removing few rules , it will apply only those related rules instead of full apply.

      Also fixed couple of bugs and enhancements. You can get the full changelog from https://github.com/ukanth/afwall/blob/beta/Changelog.md

      This is BETA Version which is not released on playstore. I have been using this for past week and it's stable. But there might be bugs which I haven't encountered. Please test it and report it in case of any issues.

      Also I have been following XPrivacy thread on the decision by it's author. Just as FYI, I might fix it for my own usage when I update to nougat, I will share it here if anybody uses it here.

      BETA Link - https://www.dropbox.com/s/isvi413qyx6vb4d/AFWall+ 2.9.7-BETA-TESTER.apk?dl=0
      40
      Hello everyone,

      I have released 3.0.0 stable on playstore today. It's been a crazy month so far. After going through lot of dilemma of whether to support the existing afwall or write a new one from scratch, finally able to pull myself and release stable version of afwall with lots of bug fixes and new features along with pie support. Since I don't do full time Android development, it was hard to keep track of what's going on with sdk level changes.

      Thank you all for your support in AFWall+ development. Without your support it would simply not possible to pull through this.

      I will be out for couple of days ( taking off to spend time with my family ) and hopefully will be able to reply to questions once back.

      Thanks again and have a great day.
      35
      Hello everyone,

      I have released stable version of 3.1.0 to playstore and github. Its live on playstore. You can find the changelog along with md5/sha here

      https://github.com/ukanth/afwall/releases/tag/v3.1.0

      Thank you all for your continuous support in AFWall+ development.