[5.0+][ROOT][3.5.2] AFWall+ IPTables Firewall [16 May 2021]

Search This thread

eriol1

Senior Member
Feb 16, 2015
177
119
Is it safe to disable all connections on gps?
I use GPS in what used to be called "device only" mode, and it still works when blocked.
Maybe high accuracy mode which uses also bluetooth/wifi/cell won't work? Haven't tried.

Anyway I'm guessing results might be different on other device/os combinations, so just try blocking and see if it works for you. If not simply change it back, no harm done.
 
  • Like
Reactions: IronTechmonkey

IronTechmonkey

Recognized Contributor
Feb 12, 2013
7,817
11,207
Is it safe to disable all connections on gps?

I use GPS in what used to be called "device only" mode, and it still works when blocked.
Maybe high accuracy mode which uses also bluetooth/wifi/cell won't work? Haven't tried.

Anyway I'm guessing results might be different on other device/os combinations, so just try blocking and see if it works for you. If not simply change it back, no harm done.

Safe? Yes absolutely, you won't damage anything by blocking GPS. Also, regarding a recent concern that was expressed about blocking everything, it is safe to block just about any app or service. Some things may not work but they won't break. If they did we sure would have trouble when disconnected from the internet.

As to functionality, to @eriol1's point, "device only" GPS does not seem to require any data connection even for the GPS service on the device. That being said, there are some 3rd party GPS utilities which will download a file possibly containing a list of satellites or other data but those request seemed to be made by the app which can be blocked. Another consideration is Google's ongoing attempt to obfuscate our granular control of location services. For instance, in newer versions of Android we can no longer simply enable “device only” mode. We must now manually disable the internet based location services. LOL, pardon that rant but this is one of my pet peeves about Google and one of the reasons I use Afwall+
 
Last edited:

temporarium

Senior Member
May 16, 2012
843
448
Safe? Yes absolutely, you won't damage anything by blocking GPS. Also, regarding a recent concern that was expressed about blocking everything, it is safe to block just about any app or service. Some things may not work but they won't break. If they did we sure would have trouble when disconnected from the internet.

As to functionality, to @eriol1's point, "device only" GPS does not seem to require any data connection even for the GPS service on the device. That being said, there are some 3rd party GPS utilities which will download a file possibly containing a list of satellites or other data but those request seemed to be made by the app which can be blocked. Another consideration is Google's ongoing attempt to obfuscate our granular control of location services. For instance, in newer versions of Android we can no longer simply enable “device only” mode. We must now manually disable the internet based location services. LOL, pardon that rant but this is one of my pet peeves about Google and one of the reasons Afwall+
<OT> There is also microG with alternative geolocation backends. </OT>
 

savelbys

Member
Mar 9, 2020
34
9
Hello,

does anyone know how I can remove the x/no internet connection possible at the WLAN icon in Android 11 LineageOS 18.1?
I assume this has something to do with the captive portal check.
To solve the problem in the short term, you have to disable the firewall, turn WLAN off/on and enable it again. However, after a reboot the problem still persists.

I have already tried the following which unfortunately does nothing, but worked on Android 10:

su
setenforce 0
settings put global captive_portal_mode 0
setenforce 1

and

su
su
pm disable com.android.captiveportallogin
settings put global captive_portal_detection_enabled 0
settings put global captive_portal_server localhost
settings put global captive_portal_mode 0
reboot
 

Hiroo Onoda

Member
Apr 22, 2019
49
24
Hello,

does anyone know how I can remove the x/no internet connection possible at the WLAN icon in Android 11 LineageOS 18.1?
I assume this has something to do with the captive portal check.
To solve the problem in the short term, you have to disable the firewall, turn WLAN off/on and enable it again. However, after a reboot the problem still persists.

I have already tried the following which unfortunately does nothing, but worked on Android 10:

su
setenforce 0
settings put global captive_portal_mode 0
setenforce 1

and

su
su
pm disable com.android.captiveportallogin
settings put global captive_portal_detection_enabled 0
settings put global captive_portal_server localhost
settings put global captive_portal_mode 0
reboot

It's been a while since I set AFWall up on my Android 11, so I can't tell you exactly. Also, I don't have Lineage, just stock Android 11. I have allowed connection on the following system apps and got the x to go away, so I believe they may be related:

[-11] Linux kernel
[1073] Tethering, Cell Broadcast Service, Network manager, com.android.server.NetworkPermissionConfig
 

q1nt

Member
Apr 26, 2020
5
3
For AFW+ to work, do I need to leave super user access enabled (using Magisk) aways? Or can I disable su access after setting up AF+ the first time? Reason is I prefer to leave su disabled for a bit more security when I'm out running around.

Background: I'm rooted but now using Netguard. Considering switching to AFW+ so I can use another VPN.
 

starbright_

Senior Member
Apr 11, 2010
1,304
212
My knowledge becomes a bit outdated after switch to Android 11 (debloated Stock with microG).

From system side I blocked everything except Download Manager. But I found that Network manager is required to use Aurora (Playstore replacement).
Is this ok? Other things I have to take into account?
 

SilentDevGuy

Senior Member
  • Feb 10, 2021
    71
    21
    My knowledge becomes a bit outdated after switch to Android 11 (debloated Stock with microG).

    From system side I blocked everything except Download Manager. But I found that Network manager is required to use Aurora (Playstore replacement).
    Is this ok? Other things I have to take into account?
    What happens to aurora store if you have network manager blocked?
     
    Aug 12, 2010
    49
    9
    Not on Github, therefore here: 1+8 with crDroid 7.4 (A11). After every boot, firewall enables with rules error. Need to wait like 2min, then disable and re-enable firewall again to get it running w/o errors.
    Yes, could set the boot delay option, but I want protection even while booting.
     

    starbright_

    Senior Member
    Apr 11, 2010
    1,304
    212
    @ukanth: Thanks fo your work!

    Per default I use standard setting (all is disabled) and enable those apps that need ethernet. For system services it is much more difficult. Is there anything expect the "Download manager" that is required?
    I found that Aurora is not working without "network stack".
    There is one superservice with uid 1000, that contains a lot of stuff. Does it need ethernet connection?
    Any other settings that are not obviously, but should be set?
    Is there some kind of howto for beginners? Anything to be set in binary/experimental/security section.

    Above was mentioned GPS. It is ok just to download the (anonymous) AGPS data, but which services does it? There are several services that seems to have GPS in its name.

    --

    What is really bad (at least for my Samsung): There is a service com.samsung.android.kgclient - which is in AWFall listed (very anonymous) as "device services". It can't be uninstalled and blocking it causes high load.
    So it seems that services knows there is a ethernet connection and forces to connect. Is there a way of faking "no ethernet available" to it?
     

    SilentDevGuy

    Senior Member
  • Feb 10, 2021
    71
    21
    @ukanth: Thanks fo your work!

    Per default I use standard setting (all is disabled) and enable those apps that need ethernet. For system services it is much more difficult. Is there anything expect the "Download manager" that is required?
    I found that Aurora is not working without "network stack".
    There is one superservice with uid 1000, that contains a lot of stuff. Does it need ethernet connection?
    Any other settings that are not obviously, but should be set?
    Is there some kind of howto for beginners? Anything to be set in binary/experimental/security section.

    Above was mentioned GPS. It is ok just to download the (anonymous) AGPS data, but which services does it? There are several services that seems to have GPS in its name.

    --

    What is really bad (at least for my Samsung): There is a service com.samsung.android.kgclient - which is in AWFall listed (very anonymous) as "device services". It can't be uninstalled and blocking it causes high load.
    So it seems that services knows there is a ethernet connection and forces to connect. Is there a way of faking "no ethernet available" to it?
    The FAQ is ideally where you want to go right now, that IS the HOWTO for beginners.
    Also, we need to know your device to even begin helping you, many phones work perfectly fine with EVERYTHING except wanted apps blocked.
     

    starbright_

    Senior Member
    Apr 11, 2010
    1,304
    212
    I played with Aurora - store, could login after enabled Network stack. But I couldn't download anything. Enabling Download manager doesn't help. I see some blocks of 11 (kernel) and ICMP and mdns. But even after enabling 11/kernel and mdns I see still some ICMP 11 block messages?!? And it doesn't download.

    I disabled/enabled Wifi but behaviour keeps same.
     

    eriol1

    Senior Member
    Feb 16, 2015
    177
    119
    I played with Aurora - store, could login after enabled Network stack. But I couldn't download anything. Enabling Download manager doesn't help. I see some blocks of 11 (kernel) and ICMP and mdns. But even after enabling 11/kernel and mdns I see still some ICMP 11 block messages?!? And it doesn't download.

    I disabled/enabled Wifi but behaviour keeps same.
    Maybe try recording traffic with tcpdump? Should allow you to see what exactly the flow looks like and what requests aren't getting through but should
     

    SilentDevGuy

    Senior Member
  • Feb 10, 2021
    71
    21
    I played with Aurora - store, could login after enabled Network stack. But I couldn't download anything. Enabling Download manager doesn't help. I see some blocks of 11 (kernel) and ICMP and mdns. But even after enabling 11/kernel and mdns I see still some ICMP 11 block messages?!? And it doesn't download.

    I disabled/enabled Wifi but behaviour keeps same.
    Before using tcpdump which theorhetically shouldnt give you any more information on blocked requests then the afwall log should, you should tell us what device you are using or at least the rom i.e. OneUI or OxygenOS. Without knowing at least that much I cant debug if its your device or afwall causing the issue. Also, ON SOME DEVICES aurora store will not work if google play services are blocked, start there and get back too me.

    Edit: This is precisely why Ukanth requested the issue raised on github with logs provided, further information is neccasary
     

    ukanth

    Recognized Developer
    Nov 30, 2010
    1,517
    5,240
    Nexus 7 (2013)
    OnePlus X
    Hello all,

    I have fixed the logging issue for both LOG/NFLOG chains. Instead of using toasts, I have been thinking of using notification to show the denied requests. Adding this to notification bar helps in enabling more features like giving excemption for an app or even show allowed requests as well.

    Wanted to get community inputs on this.
     

    IronTechmonkey

    Recognized Contributor
    Feb 12, 2013
    7,817
    11,207
    Hello all,

    I have fixed the logging issue for both LOG/NFLOG chains. Instead of using toasts, I have been thinking of using notification to show the denied requests. Adding this to notification bar helps in enabling more features like giving excemption for an app or even show allowed requests as well.

    Wanted to get community inputs on this.

    +1 to the added functionality available through the notification...

    ... as long as it does not get bogged down when apps create rapid and persistent notifications, in some cases up to many per second for several minutes.
     
    • Like
    Reactions: sabei

    Top Liked Posts

    • There are no posts matching your filters.
    • 3
      What just happened ukanth?
      Tried to upgrade from v3.5.2 to v3.5.2.1 from F-Droid.
      This completely f... up AFWall, lost config and rules, app crashes all the time.
      So I decided to delete cache, storage, remove device admin and unistall the app.
      Reboot the OP8P (on crDroid v7.6 A11) and freshly installed v3.5.2, set rules & config manually.
      And now it's blazingly fast!!! (y) Which is good for sure! Applying ~180 rules takes less then a second now. Took ~30s before with frequent app crashes. And all the errors I've described above are gone!

      Only thing I need now is init.d or something to enable pre-boot protection. As I'm using root with Magisk v23, any ideas how to get pre-boot / startup protection activated?

      And still cannot update to v3.5.2.1... No Play store installed.
      Afaik v 3.5.2 & 3.5.1 are not available on f-droid, the latest there is v 3.5.2.1 & before it is v 3.5.0.
      For using magisk you need to choose "startup directory path for script" & tick "fix startup data leak" in preferences>experimental
      2
      Thanks for your explanation of "Clat"!
      Just a last guess: How is your handling of IPv4 and IPv6 Chains?
      I can't use IPv6, so I didn't enable it.

      This is the setting of my Moto G Play phone and Samsung Galaxy Tab S2, both LOS 17.1:

      View attachment 5340641
      I have it active. Adjusting the setting what I see on your screenshot does not help as well though. It seems either my XZ1 Compact is in some way different - or my Wireguard VPN makes a difference ;-)

      Well, I still hope from some ideas from @ukanth - either here or on his github site... but thanks for trying to help!

      Edit: I found one difference between our settings though: If I set the "Input chain" setting to "blocked", Wireguard (and thus, anything else) does not get any web access on 3.4.0 as well. Might be logical since AFAIK Wireguard acts as a local "router interface". So this is a clear difference between your devices and mine.

      Maybe there is some change between 3.4.0 and 3.5.x that causes this chain setting to break...?
      2
      After version 3.4, NO version works cleanly with Xiaomi Mit9T - Rooted firmware.

      Problem:

      No VOLTE, HD Voice or Wifi Calling. I restarted the system but after few minutes VOLTE icon disappears and voice quality is much worse than before.
      I think the 3.5 -3.5.2 versions now block some port that is responsible for this.
      My knowledge is unfortunately too small for this. Can someone tell me what I need to fix so I can use the current version again?
      Just to check the (by now) obvious: do you happen to have changed the "DNS proxy" setting to "Disable DNS via netd"? If so, you suffer from the same problem that keeps me on 3.4.0...
      2
      Just to check the (by now) obvious: do you happen to have changed the "DNS proxy" setting to "Disable DNS via netd"? If so, you suffer from the same problem that keeps me on 3.4.0...
      IIRC: If you disable DNS via netd you must allow [0](Root) - Apps wirh root permissions.
      2
      SEVERE SECURITY WARNING:
      AFWALL default functionality might NOT (and probably for many will NOT) secure your Android phone.

      EXPECTED BEHAVIOR:
      A secure firewall must block incoming connections that are not initiated by the user.

      ACTUAL BEHAVIOR:
      a) using the latest version 3.5.2 and I discovered erratic behavior by the app when trying to run a custom script to set incoming packet policy to DROP and accept only related and established incoming connections. AFWall errored out when trying to set the rules.

      b) depending on your ROM you might have INPUT chain rules that need to be vetted, which relies on custom scripting errors out. For example, a Samsung stock Rom on a 2020 device has "input_dos" chain rule within INPUT chain that explicitly allows ctstate "NEW" packets through. Must not happen in a secure firewall that only wants to accept established and related state incoming packets.

      WORKAROUND:
      What works for the time being as a workaround is:

      a) set up AFWall focusing on app permissions which should cover the OUTPUT part of the firewall.

      b) change the INPUT chain rules manually via terminal to drop incoming packets except for established/related connection state packets and remove rules that bypass this restriction.

      ------
      This tight INPUT chain has nearly doubled my battery life (4000 mAh Li-Po from 10hrs to 20 hrs).
      AFAIK, AFWall never claimed to block any incoming connections. The main purpose is to block unwanted outgoing connections.
      Android itself maybe blocks some incoming connections? but android probably has a very different idea of what an unwanted connection is 😬

      Nevertheless, thanks for the important info and nice effect on the battery (y)
    • 384
      Welcome to official support page for AFWall+

      Disclaimer - As Usual. I'll not take any responsible if something goes wrong when using AFWall+

      Introduction
      AFWall+ is an improved version of DroidWall(front-end application for the powerful iptables Linux firewall). It allows you to restrict which applications are permitted to access your data networks (2G/3G/4G/LTE and/or Wi-Fi and while in roaming).Since the original author of Droidwall
      discontinued the project, I decided to keep the app instead of Avast Firewall. I'll continue to add more features as I can.


      Features
      - Supports 5.x to 11.x
      - Import/Export Rules to external storage
      - Search Applications
      - Multiple Profiles with custom names
      - Tasker/Locale support
      - Select All/None/Invert/Clear applications with single click
      - Revamped Rules/Logs Viewer with copy/export to external storage
      - Ability to view the network interfaces
      - Highlight system applications with custom color
      - Notify on new installations
      - Ability to hide application icons( faster loading )
      - Use LockPattern for application protection.
      - Show/Hide application ID.
      - Roaming Control for 3G/Edge
      - VPN Control
      - LAN Control
      - Tether Control
      - IPV6 Control
      - Tor Control
      - Choose able languages
      - Choose able iptables/busybox binary
      - Supports MIPS/x86/ARM
      - DNS Hostname

      Changelog - See third Post
      Current Version - 3.5.2

      To get Unlocker without Google services - Please follow the instructions here

      AFWall+ BETA Program
      1) AFWall+ opt-in for beta program
      2) Install AFWall+ and If you have any issues, just send email from (Menu -> Firewall Rules - > Send error report)

      Source Code/Wiki/FAQ
      AFWall+ is an free & opensource application
      Github
      Log an issue
      Frequently Asked Questions
      Many Thanks to @CHEF-KOCH

      Translations
      Translations - Please help me with translations in your language.
      http://crowdin.net/project/afwall

      Thanks To/Credits
      - German translations by [email protected] & [email protected] & [email protected]
      - French translations by [email protected] & [email protected]
      - Russian translations by [email protected] & YaroslavKa78
      - Spanish translations by [email protected]
      - Dutch translations by [email protected]
      - Japanese translation by [email protected]
      - Ukrainian translation by [email protected]
      - Slovenian translation by bunga [email protected]
      - Chinese Simplified translation by [email protected]
      - Polish translations by tst,Piotr [email protected]
      - Swedish translations by [email protected]
      - Greek Translations by [email protected]
      - Portuguese translations by [email protected]
      - Chinese Traditional by [email protected]
      - Chinese Simplified by wuwufei,tianchaoren @ crowdin
      - Italian translations by [email protected]
      - Romanian tranlations by [email protected]
      - Czech translations by Syk3s

      Cheers,
      ukanth

      XDA:DevDB Information
      AFWall+ [ IPTables Firewall ], App for the Android General

      Contributors
      ukanth
      Source Code: https://github.com/ukanth/afwall


      Version Information
      Status:
      Stable
      Current Stable Version: 3.4.0
      Stable Release Date: 2020-02-09
      Current Beta Version: 3.5.0-BETA1
      Beta Release Date: 2020-09-05

      Created 2013-12-03
      Last Updated 2020-09-05
      70
      Version 3.0.1

      * Fix: Status toggle widget 1x1
      * Fix: Ability to hide ongoing notification (Stop firewall and restart to hide after disable it in preferences)
      * Fix: Firewall error notification on oreo and above
      * Security: Tile toggle checks for password
      * User reported crashes
      * Updated translations

      Previous version 3.0.0

      Features:
      * Better support for nougat/oreo and pie.
      * Firewall toggle tile
      * Adaptive Icons
      * Notification channels
      * Tor support

      Bugs:
      * General bug fixes and crash reports.
      * Language selection bug
      * Filter selection bug
      * Compatible with magisk 17.x
      * Better handling of background process
      * Drops support for 4.x devices
      * Update languages
      * Updated libraries

      Complete Changelog

      41
      Hello All,

      After careful analysis and testing, I decided not to rewrite the way rules are being applied due to lot of under hood changes required. Instead added few enhancements. Now applying rules from menu will show how many rules are getting applied with progress status. Also when adding/removing few rules , it will apply only those related rules instead of full apply.

      Also fixed couple of bugs and enhancements. You can get the full changelog from https://github.com/ukanth/afwall/blob/beta/Changelog.md

      This is BETA Version which is not released on playstore. I have been using this for past week and it's stable. But there might be bugs which I haven't encountered. Please test it and report it in case of any issues.

      Also I have been following XPrivacy thread on the decision by it's author. Just as FYI, I might fix it for my own usage when I update to nougat, I will share it here if anybody uses it here.

      BETA Link - https://www.dropbox.com/s/isvi413qyx6vb4d/AFWall+ 2.9.7-BETA-TESTER.apk?dl=0
      40
      Hello everyone,

      I have released 3.0.0 stable on playstore today. It's been a crazy month so far. After going through lot of dilemma of whether to support the existing afwall or write a new one from scratch, finally able to pull myself and release stable version of afwall with lots of bug fixes and new features along with pie support. Since I don't do full time Android development, it was hard to keep track of what's going on with sdk level changes.

      Thank you all for your support in AFWall+ development. Without your support it would simply not possible to pull through this.

      I will be out for couple of days ( taking off to spend time with my family ) and hopefully will be able to reply to questions once back.

      Thanks again and have a great day.
      35
      Hello everyone,

      I have released stable version of 3.1.0 to playstore and github. Its live on playstore. You can find the changelog along with md5/sha here

      https://github.com/ukanth/afwall/releases/tag/v3.1.0

      Thank you all for your continuous support in AFWall+ development.