• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!
  • Fill out your device list and let everyone know which phones you have!    Edit Your Device Inventory

[5.0+][ROOT][3.5.2] AFWall+ IPTables Firewall [16 May 2021]

Search This thread

EEngineer

Senior Member
Oct 20, 2011
884
155
USA
T-Mobile LG G5
Just block everything and allow only what you need and trust.
That's dangerous advice. When it comes to Android system, LineageOS, and Google stuff, how do you define "everything"? If you block everything some phones might brick on boot or just stop working.

Meanwhile the AFWall+ FAQ referenced above recommends leaving almost all system & google apps unblocked or risk restricted operation.
 

temporarium

Senior Member
That's dangerous advice. When it comes to Android system, LineageOS, and Google stuff, how do you define "everything"? If you block everything some phones might brick on boot or just stop working.

Meanwhile the AFWall+ FAQ referenced above recommends leaving almost all system & google apps unblocked or risk restricted operation.
Imagine you or your phone in airplane mode. Nothing connects because the network is down. All the apps still work.
Same thing happens when you block internet access selectively. The apps will still function. Nothing to worry about.
What should be allowed? Well, what really needs to access the internet? Web browser. Email app. RSS news reader.
Does the alarm clock need to access the internet? No. Does the ROM need to access the internet. No. There are things like automatic time adjustments and checking for updates, but the system will/should still work without being able to perform those.
Anyway, that's my approach. You're free to follow your own path 😉
 

brackenhill_mob

Senior Member
Aug 3, 2005
245
45
Berkhamsted
Xiaomi Poco X3 NFC
That's dangerous advice. When it comes to Android system, LineageOS, and Google stuff, how do you define "everything"? If you block everything some phones might brick on boot or just stop working.

Meanwhile the AFWall+ FAQ referenced above recommends leaving almost all system & google apps unblocked or risk restricted operation.
That's where the logs come in useful. Turn everything off and then check what is trying to access the internet. If you think it should, then it on. Simples ;)
 
  • Like
Reactions: chrisrevoltes

eriol1

Senior Member
Feb 16, 2015
177
119
If any app can use the browser or download-manager as a proxy to connect to the internet, doesn't that make Afwall completely useless?

I can block everything but have browser and/or download-manager whitelisted. That means everything can call home anyway?
Just pointing out that if an app is shady enough to use such methods to call home, do you really want it installed?

Anyway if you're referring to:
Chrome custom tabs:
AFAIK using Chrome custom tabs to access the web must happen in the foreground so I don't think any calling home could happen without you noticing. I could be wrong, and there's also the speculative work feature that could possibly be abused to access the web secretly.
If you're worried, simply block chrome and use an alternative browser for your own browsing.
Webview :
I thought webview content always runs under the requesting app uid, so should still get blocked by afwall.
Can someone confirm?
Do you have an example of an app that bypasses afwall using webview?
Download manager
Technically it's a one way street, download only, no upload. But a request still goes out in order to get the download, so could be abused in order to call home.
I'm not sure if there's a good way to block this (apart from blocking download manager itself). This is probably what I'd use if I was writing a shady call home app.

If there are any other ways you thought of that could bypass afwall I'd love to hear about them.

So is afwall useless?
since most apps don't generally seem to be using these methods to call home, I'd say afwall isn't useless.
Also, in the case of an app actually using a method like this, (and assuming you're allowing internet access to chrome, download manager and webview), you still have the option of using custom scripts in afwall to block the offending app.
 
  • Like
Reactions: Utini

Utini

Senior Member
Dec 25, 2010
1,000
146
www.whymacsucks.com
www.whymacsucks.com
Just pointing out that if an app is shady enough to use such methods to call home, do you really want it installed?

Anyway if you're referring to:
Chrome custom tabs:
AFAIK using Chrome custom tabs to access the web must happen in the foreground so I don't think any calling home could happen without you noticing. I could be wrong, and there's also the speculative work feature that could possibly be abused to access the web secretly.
If you're worried, simply block chrome and use an alternative browser for your own browsing.
Webview :
I thought webview content always runs under the requesting app uid, so should still get blocked by afwall.
Can someone confirm?
Do you have an example of an app that bypasses afwall using webview?
Download manager
Technically it's a one way street, download only, no upload. But a request still goes out in order to get the download, so could be abused in order to call home.
I'm not sure if there's a good way to block this (apart from blocking download manager itself). This is probably what I'd use if I was writing a shady call home app.

If there are any other ways you thought of that could bypass afwall I'd love to hear about them.

So is afwall useless?
since most apps don't generally seem to be using these methods to call home, I'd say afwall isn't useless.
Also, in the case of an app actually using a method like this, (and assuming you're allowing internet access to chrome, download manager and webview), you still have the option of using custom scripts in afwall to block the offending app.

Thank for you detailed reply.

It makes sense in thr way you describe it. But "malicious" apps could try to take advantage of any installed app to use it as proxy.

Download manager seems to be the most obvious though. You mentioned custom scripts. Do you have examples?

What would be very handy is a pop-up notification asking "download manager wants to download something now. Allow once?"
 

eriol1

Senior Member
Feb 16, 2015
177
119
Thank for you detailed reply.

It makes sense in thr way you describe it. But "malicious" apps could try to take advantage of any installed app to use it as proxy.

Download manager seems to be the most obvious though. You mentioned custom scripts. Do you have examples?

What would be very handy is a pop-up notification asking "download manager wants to download something now. Allow once?"
There's not much you can do about malicious apps taking advantage of apps you do trust, except for not installing the malicious app to begin with.

Custom scripts :
I'd tell you to search the thread but that functionality still isn't working properly...
Use this to learn more about custom scripts :
https://github.com/ukanth/afwall/wiki/CustomScripts

A download manager pop up is an interesting idea. Up to Google to implement something like that though
 
  • Like
Reactions: EEngineer and Utini

IronTechmonkey

Recognized Contributor
Feb 12, 2013
7,893
11,436
There have been several reports at AFwall+'s github about empty logs. FWIW it is likely that some of those issues fall under one umbrella which includes two sub issues; 1) any FC or restart of the app, and 2) failure of logging to start when the app does. In my case the FC was caused by many consecutive logging event toasts, and when I disabled toasts the FC is no longer occurred. I encourage people who have reported empty logs to check out my two bug reports at Afwall+’s github for comparison…but this is all documented at github and I’m here for something more fun... in next post.
 

IronTechmonkey

Recognized Contributor
Feb 12, 2013
7,893
11,436
Although I can avoid FC’s by disabling toasts, after reboots I often forget to enable logging so I found a geeky fun way to do it with Tasker and the Android input tap and swipe commands.

DISCLAIMER: this simulates touchscreen input and requires that the device be in a particular state when it is invoked and that the display not be touched while it is running. If that does not already make you nervous then you definitely should not be trying this. ;)

- In developer options enable show touches and show pointer position.
- Go through the process of opening disabling/enabling Afwall logging, capturing a screenshot at each screen tap – while you are tapping the appropriate spot. The screenshots will include the "show touch" indicator (pale dot) for your tap location and the coordinates of that location.
- In developer options disable show touches and show pointer position.
- Review the images and for each step, if the show touch indicator is in the proper place then note the coordinates.
- When stitched all together in Tasker, it walks through something like this (with dummy coordinates instead of the actual ones):

{Tasker Task}
Open Afwall
Wait 1 sec
Menu (input tap x1y1)
Wait 500 ms
Preferences (input tap x2y2)
Wait 500 ms
Log (input tap x3y3)
Wait 500 ms
Disable log service (input tap x4y4)
Wait 500 ms
Enable log service (input tap x4y4 – same as previous step)
Wait 500 ms
Back button
Wait 500 ms
Back button
Wait 500 ms
Back button

The wait commands give the UI time to stop moving before the next command and in most cases could be made shorter. As silly as this thing may seem, after a reboot it enables logging with the tap of one home screen shortcut.
 
  • Like
Reactions: Hiroo Onoda

Utini

Senior Member
Dec 25, 2010
1,000
146
www.whymacsucks.com
www.whymacsucks.com
Thanks again @eriol1 !!

And while I am at it. Do the permissions I set for core/system apps look fine to you? See attachments.
 

Attachments

  • Screenshot_20210208-045626.png
    Screenshot_20210208-045626.png
    284.3 KB · Views: 82
  • Screenshot_20210208-045636.png
    Screenshot_20210208-045636.png
    389.3 KB · Views: 78
  • Screenshot_20210208-045646.png
    Screenshot_20210208-045646.png
    463.4 KB · Views: 62
  • Screenshot_20210208-045659.png
    Screenshot_20210208-045659.png
    446.2 KB · Views: 62
  • Like
Reactions: EEngineer

eriol1

Senior Member
Feb 16, 2015
177
119
Thanks again @eriol1 !!

And while I am at it. Do the permissions I set for core/system apps look fine to you? See attachments.

I actually have most of those blocked, but different device, os and setup would require different apps enabled.

Just block everything and allow only what you need and trust.
This is the best advice you could get.
It's what I did when I started out. Basically block everything, then start using the phone and unblock apps as you go along and realize you absolutely can't have them blocked. It takes a while and isn't very fun, but I think it's the best way to figure out what actually needs internet and what doesn't.
 
  • Like
Reactions: IronTechmonkey

Utini

Senior Member
Dec 25, 2010
1,000
146
www.whymacsucks.com
www.whymacsucks.com
I actually have most of those blocked, but different device, os and setup would require different apps enabled.


This is the best advice you could get.
It's what I did when I started out. Basically block everything, then start using the phone and unblock apps as you go along and realize you absolutely can't have them blocked. It takes a while and isn't very fun, but I think it's the best way to figure out what actually needs internet and what doesn't.


That bis basically what I did :eek: I found that everyelse that I block would break something.

Maybe care to share your "allow list" so I can compare and test around? :)
 

eriol1

Senior Member
Feb 16, 2015
177
119
I have these blocked, and practically all other system apps as well.
I can see lots of stuff getting blocked in the logs, but everything works fine
 

Attachments

  • Screenshot_20210208-230733_AFWall+.png
    Screenshot_20210208-230733_AFWall+.png
    49.1 KB · Views: 85

iunlock

Senior Member
May 22, 2010
2,005
975
Galaxy
Hello fellow AFWall+ users, I'm having VPN connectivity issues with AFWall+ enabled with Android 11. I tried everything. I've since rolled back to Android 10 and I'm having the same issues. It's driving me crazy.

With AFWall+ Enabled and with VPN connected, browsers work, but apps like Playstore does not work.

It's nothing that I have blocked either in AFWall+ I made sure of it.. in fact, I tested it by unchecking everything but one random non related thing to anything and the problem persists.

I was using the v3.5.0 beta and thought it had something to do with it being beta, but I've also tested on v3.4.0 and it's having the same issues.

Q: In Preferences-> Binaries ->

Iptables binary: Should this be set to Auto or choose one System or Built-in?

BusyBox binary: Should this be selected on Built-In or System?

Thanks for your help.
 
Last edited:

temporarium

Senior Member
Hello fellow AFWall+ users, I'm having VPN connectivity issues with AFWall+ enabled with Android 11. I tried everything. I've since rolled back to Android 10 and I'm having the same issues. It's driving me crazy.

With AFWall+ Enabled and with VPN connected, browsers work, but apps like Playstore does not work.

It's nothing that I have blocked either in AFWall+ I made sure of it.. in fact, I tested it by unchecking everything but one random non related thing to anything and the problem persists.

I was using the v3.5.0 beta and thought it had something to do with it being beta, but I've also tested on v3.4.0 and it's having the same issues.

Q: In Preferences-> Binaries ->

Iptables binary: Should this be set to Auto or choose one System or Built-in?

BusyBox binary: Should this be selected on Built-In or System?

Thanks for your help.
Try the whitelist method, only allowing what you need.

Also, it may be Google is sensing that you're using very different IPs to connect and is blocking your VPN. Try Aurora Store.
 
  • Like
Reactions: IronTechmonkey

iunlock

Senior Member
May 22, 2010
2,005
975
Galaxy
Try the whitelist method, only allowing what you need.

Also, it may be Google is sensing that you're using very different IPs to connect and is blocking your VPN. Try Aurora Store.

Thanks for your response. Regarding the binaries and any other specifics settings that's recommended to use:

Q: In Preferences-> Binaries ->

Iptables binary: Should this be set to Auto or choose one System or Built-in?

BusyBox binary: Should this be selected on Built-In or System?

Thanks for your help.
 

n0j0e

Senior Member
hi, is the AFWall Xposed extension still functional for A11? Do we still need it for more security. I'm switched to the LSPosed Xposed variante and AFWall (still) didn't support the new app scope feature like GravityBox.
Which apps needs to be enabled in LSPosed for the AFWall module?
 
Last edited:

SilentDevGuy

Senior Member
Feb 10, 2021
81
21
That's dangerous advice. When it comes to Android system, LineageOS, and Google stuff, how do you define "everything"? If you block everything some phones might brick on boot or just stop working.

Meanwhile the AFWall+ FAQ referenced above recommends leaving almost all system & google apps unblocked or risk restricted operation.
Blocking stuff in afwall+ will never cause a brick on boot or your phone to stop working, thats ludicrous. Iptables is reset on boot.
 

Top Liked Posts

  • 1
    I have a very frustrating problem. I have everything Google blocked in AFWall+ 3.5.2 Donate version, including Play Store, Framework, etc. I unblock them rarely, like when I need to update maps. Regardless every so often during the month and against my wishes Google will reach out and inform me of updates. And even thought I have autoupdates disabled, it will occasionally autoupdate a Google app.

    I tried freezing Google Play Store but some of my apps won't work when I do that.

    I have LOS 14.1 installed. Just how is Google accessing the internet and how do I stop it?
    EDITED: Changed "during the day" to "during the month".
    That seems google's fault.

    As a workaround you can try disabling the autoupdated app (google app). I had experienced it on my 2 devices, that's the only solution that I know so far.
  • 5
    So, should we use post-fs-data mode, or is this too risky that it could lockup the device is something is wrong?
    At the moment i'm using the post-fs-data.d option. It may take a bit longer to start.
    While i do get errors occasionally, mainly with applying rules, it still blocks connection to apps. I don't think it's due the startup configuration ( check Github as other people have issues to ).
    My startup is also due to the other crap on my phone as well, and mainly needs time to settle down so to speak.
    Also looking back on this post not every has the same options. @Uluru25 has service.d option only, while i don't have his device but @EEngineer has completely different options.
    As to what option to use it will be up to you but the magisk guide does recommend using service.d option in most cases.

    5
    Wow - so apps can get internet access for around a minute right after bootup (before afwall can apply the rules).
    yes they cld and thats all some apps need so as to send info home but the simplest way around that is to turn off mobile internet as well as wifi before reboot and wait about a minute after boot for the firewall to have started before reconnecting internet access :)
    3
    I have two entries for that option - which one should I select?
    I'v got the same entries as well. It got me wondering what the two are.
    Came across this for the for the two options and what they mean.

    • post-fs-data mode
      • This stage is BLOCKING. The boot process is paused before execution is done, or 10 seconds have passed.
      • Scripts run before any modules are mounted. This allows a module developer to dynamically adjust their modules before it gets mounted.
      • This stage happens before Zygote is started, which pretty much means everything in Android
      • Run scripts in this mode only if necessary!
    • late_start service mode ( service.d )
      • This stage is NON-BLOCKING. Your script runs in parallel along with the booting process.
      • This is the recommended stage to run most scripts!
    This is taken from the Magisk guide

    2
    Wow - so apps can get internet access for around a minute right after bootup (before afwall can apply the rules).
    That could be the case, I don't know because I haven't used AFWall for years so I don't know how and when it applies the rules.
    My answer is from a general Linux knowledge point of view. ;)
    2
    yes they cld and thats all some apps need so as to send info home but the simplest way around that is to turn off mobile internet as well as wifi before reboot and wait about a minute after boot for the firewall to have started before reconnecting internet access :)
    I have AFWall+ and before I reboot or shut down my phone (which is at least once a week) I put my phone in airplane mode first.

    I also have "Fix startup data leak" greyed out, and I have both int.d and SU installed. What's the deal?
  • 384
    Welcome to official support page for AFWall+

    Disclaimer - As Usual. I'll not take any responsible if something goes wrong when using AFWall+

    Introduction
    AFWall+ is an improved version of DroidWall(front-end application for the powerful iptables Linux firewall). It allows you to restrict which applications are permitted to access your data networks (2G/3G/4G/LTE and/or Wi-Fi and while in roaming).Since the original author of Droidwall
    discontinued the project, I decided to keep the app instead of Avast Firewall. I'll continue to add more features as I can.


    Features
    - Supports 5.x to 11.x
    - Import/Export Rules to external storage
    - Search Applications
    - Multiple Profiles with custom names
    - Tasker/Locale support
    - Select All/None/Invert/Clear applications with single click
    - Revamped Rules/Logs Viewer with copy/export to external storage
    - Ability to view the network interfaces
    - Highlight system applications with custom color
    - Notify on new installations
    - Ability to hide application icons( faster loading )
    - Use LockPattern for application protection.
    - Show/Hide application ID.
    - Roaming Control for 3G/Edge
    - VPN Control
    - LAN Control
    - Tether Control
    - IPV6 Control
    - Tor Control
    - Choose able languages
    - Choose able iptables/busybox binary
    - Supports MIPS/x86/ARM
    - DNS Hostname

    Changelog - See third Post
    Current Version - 3.5.2

    To get Unlocker without Google services - Please follow the instructions here

    AFWall+ BETA Program
    1) AFWall+ opt-in for beta program
    2) Install AFWall+ and If you have any issues, just send email from (Menu -> Firewall Rules - > Send error report)

    Source Code/Wiki/FAQ
    AFWall+ is an free & opensource application
    Github
    Log an issue
    Frequently Asked Questions
    Many Thanks to @CHEF-KOCH

    Translations
    Translations - Please help me with translations in your language.
    http://crowdin.net/project/afwall

    Thanks To/Credits
    - German translations by [email protected] & [email protected] & [email protected]
    - French translations by [email protected] & [email protected]
    - Russian translations by [email protected] & YaroslavKa78
    - Spanish translations by [email protected]
    - Dutch translations by [email protected]
    - Japanese translation by [email protected]
    - Ukrainian translation by [email protected]
    - Slovenian translation by bunga [email protected]
    - Chinese Simplified translation by [email protected]
    - Polish translations by tst,Piotr [email protected]
    - Swedish translations by [email protected]
    - Greek Translations by [email protected]
    - Portuguese translations by [email protected]
    - Chinese Traditional by [email protected]
    - Chinese Simplified by wuwufei,tianchaoren @ crowdin
    - Italian translations by [email protected]
    - Romanian tranlations by [email protected]
    - Czech translations by Syk3s

    Cheers,
    ukanth

    XDA:DevDB Information
    AFWall+ [ IPTables Firewall ], App for the Android General

    Contributors
    ukanth
    Source Code: https://github.com/ukanth/afwall


    Version Information
    Status:
    Stable
    Current Stable Version: 3.4.0
    Stable Release Date: 2020-02-09
    Current Beta Version: 3.5.0-BETA1
    Beta Release Date: 2020-09-05

    Created 2013-12-03
    Last Updated 2020-09-05
    70
    Version 3.0.1

    * Fix: Status toggle widget 1x1
    * Fix: Ability to hide ongoing notification (Stop firewall and restart to hide after disable it in preferences)
    * Fix: Firewall error notification on oreo and above
    * Security: Tile toggle checks for password
    * User reported crashes
    * Updated translations

    Previous version 3.0.0

    Features:
    * Better support for nougat/oreo and pie.
    * Firewall toggle tile
    * Adaptive Icons
    * Notification channels
    * Tor support

    Bugs:
    * General bug fixes and crash reports.
    * Language selection bug
    * Filter selection bug
    * Compatible with magisk 17.x
    * Better handling of background process
    * Drops support for 4.x devices
    * Update languages
    * Updated libraries

    Complete Changelog

    41
    Hello All,

    After careful analysis and testing, I decided not to rewrite the way rules are being applied due to lot of under hood changes required. Instead added few enhancements. Now applying rules from menu will show how many rules are getting applied with progress status. Also when adding/removing few rules , it will apply only those related rules instead of full apply.

    Also fixed couple of bugs and enhancements. You can get the full changelog from https://github.com/ukanth/afwall/blob/beta/Changelog.md

    This is BETA Version which is not released on playstore. I have been using this for past week and it's stable. But there might be bugs which I haven't encountered. Please test it and report it in case of any issues.

    Also I have been following XPrivacy thread on the decision by it's author. Just as FYI, I might fix it for my own usage when I update to nougat, I will share it here if anybody uses it here.

    BETA Link - https://www.dropbox.com/s/isvi413qyx6vb4d/AFWall+ 2.9.7-BETA-TESTER.apk?dl=0
    40
    Hello everyone,

    I have released 3.0.0 stable on playstore today. It's been a crazy month so far. After going through lot of dilemma of whether to support the existing afwall or write a new one from scratch, finally able to pull myself and release stable version of afwall with lots of bug fixes and new features along with pie support. Since I don't do full time Android development, it was hard to keep track of what's going on with sdk level changes.

    Thank you all for your support in AFWall+ development. Without your support it would simply not possible to pull through this.

    I will be out for couple of days ( taking off to spend time with my family ) and hopefully will be able to reply to questions once back.

    Thanks again and have a great day.
    35
    Hello everyone,

    I have released stable version of 3.1.0 to playstore and github. Its live on playstore. You can find the changelog along with md5/sha here

    https://github.com/ukanth/afwall/releases/tag/v3.1.0

    Thank you all for your continuous support in AFWall+ development.