• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!
  • Fill out your device list and let everyone know which phones you have!    Edit Your Device Inventory

[5.0+][ROOT][3.5.2] AFWall+ IPTables Firewall [16 May 2021]

Search This thread

eriol1

Senior Member
Feb 16, 2015
177
119
Is it safe to disable all connections on gps?
I use GPS in what used to be called "device only" mode, and it still works when blocked.
Maybe high accuracy mode which uses also bluetooth/wifi/cell won't work? Haven't tried.

Anyway I'm guessing results might be different on other device/os combinations, so just try blocking and see if it works for you. If not simply change it back, no harm done.
 
  • Like
Reactions: IronTechmonkey

IronTechmonkey

Recognized Contributor
Feb 12, 2013
7,893
11,436
Is it safe to disable all connections on gps?

I use GPS in what used to be called "device only" mode, and it still works when blocked.
Maybe high accuracy mode which uses also bluetooth/wifi/cell won't work? Haven't tried.

Anyway I'm guessing results might be different on other device/os combinations, so just try blocking and see if it works for you. If not simply change it back, no harm done.

Safe? Yes absolutely, you won't damage anything by blocking GPS. Also, regarding a recent concern that was expressed about blocking everything, it is safe to block just about any app or service. Some things may not work but they won't break. If they did we sure would have trouble when disconnected from the internet.

As to functionality, to @eriol1's point, "device only" GPS does not seem to require any data connection even for the GPS service on the device. That being said, there are some 3rd party GPS utilities which will download a file possibly containing a list of satellites or other data but those request seemed to be made by the app which can be blocked. Another consideration is Google's ongoing attempt to obfuscate our granular control of location services. For instance, in newer versions of Android we can no longer simply enable “device only” mode. We must now manually disable the internet based location services. LOL, pardon that rant but this is one of my pet peeves about Google and one of the reasons I use Afwall+
 
Last edited:

temporarium

Senior Member
Safe? Yes absolutely, you won't damage anything by blocking GPS. Also, regarding a recent concern that was expressed about blocking everything, it is safe to block just about any app or service. Some things may not work but they won't break. If they did we sure would have trouble when disconnected from the internet.

As to functionality, to @eriol1's point, "device only" GPS does not seem to require any data connection even for the GPS service on the device. That being said, there are some 3rd party GPS utilities which will download a file possibly containing a list of satellites or other data but those request seemed to be made by the app which can be blocked. Another consideration is Google's ongoing attempt to obfuscate our granular control of location services. For instance, in newer versions of Android we can no longer simply enable “device only” mode. We must now manually disable the internet based location services. LOL, pardon that rant but this is one of my pet peeves about Google and one of the reasons Afwall+
<OT> There is also microG with alternative geolocation backends. </OT>
 

savelbys

Member
Mar 9, 2020
34
9
Hello,

does anyone know how I can remove the x/no internet connection possible at the WLAN icon in Android 11 LineageOS 18.1?
I assume this has something to do with the captive portal check.
To solve the problem in the short term, you have to disable the firewall, turn WLAN off/on and enable it again. However, after a reboot the problem still persists.

I have already tried the following which unfortunately does nothing, but worked on Android 10:

su
setenforce 0
settings put global captive_portal_mode 0
setenforce 1

and

su
su
pm disable com.android.captiveportallogin
settings put global captive_portal_detection_enabled 0
settings put global captive_portal_server localhost
settings put global captive_portal_mode 0
reboot
 

Hiroo Onoda

Member
Apr 22, 2019
49
24
Hello,

does anyone know how I can remove the x/no internet connection possible at the WLAN icon in Android 11 LineageOS 18.1?
I assume this has something to do with the captive portal check.
To solve the problem in the short term, you have to disable the firewall, turn WLAN off/on and enable it again. However, after a reboot the problem still persists.

I have already tried the following which unfortunately does nothing, but worked on Android 10:

su
setenforce 0
settings put global captive_portal_mode 0
setenforce 1

and

su
su
pm disable com.android.captiveportallogin
settings put global captive_portal_detection_enabled 0
settings put global captive_portal_server localhost
settings put global captive_portal_mode 0
reboot

It's been a while since I set AFWall up on my Android 11, so I can't tell you exactly. Also, I don't have Lineage, just stock Android 11. I have allowed connection on the following system apps and got the x to go away, so I believe they may be related:

[-11] Linux kernel
[1073] Tethering, Cell Broadcast Service, Network manager, com.android.server.NetworkPermissionConfig
 

q1nt

Member
Apr 26, 2020
5
3
For AFW+ to work, do I need to leave super user access enabled (using Magisk) aways? Or can I disable su access after setting up AF+ the first time? Reason is I prefer to leave su disabled for a bit more security when I'm out running around.

Background: I'm rooted but now using Netguard. Considering switching to AFW+ so I can use another VPN.
 

starbright_

Senior Member
Apr 11, 2010
1,313
217
My knowledge becomes a bit outdated after switch to Android 11 (debloated Stock with microG).

From system side I blocked everything except Download Manager. But I found that Network manager is required to use Aurora (Playstore replacement).
Is this ok? Other things I have to take into account?
 

greatestandroidfan

Senior Member
Aug 12, 2010
52
9
Not on Github, therefore here: 1+8 with crDroid 7.4 (A11). After every boot, firewall enables with rules error. Need to wait like 2min, then disable and re-enable firewall again to get it running w/o errors.
Yes, could set the boot delay option, but I want protection even while booting.
 

starbright_

Senior Member
Apr 11, 2010
1,313
217
@ukanth: Thanks fo your work!

Per default I use standard setting (all is disabled) and enable those apps that need ethernet. For system services it is much more difficult. Is there anything expect the "Download manager" that is required?
I found that Aurora is not working without "network stack".
There is one superservice with uid 1000, that contains a lot of stuff. Does it need ethernet connection?
Any other settings that are not obviously, but should be set?
Is there some kind of howto for beginners? Anything to be set in binary/experimental/security section.

Above was mentioned GPS. It is ok just to download the (anonymous) AGPS data, but which services does it? There are several services that seems to have GPS in its name.

--

What is really bad (at least for my Samsung): There is a service com.samsung.android.kgclient - which is in AWFall listed (very anonymous) as "device services". It can't be uninstalled and blocking it causes high load.
So it seems that services knows there is a ethernet connection and forces to connect. Is there a way of faking "no ethernet available" to it?
 

SilentDevGuy

Senior Member
Feb 10, 2021
81
21
@ukanth: Thanks fo your work!

Per default I use standard setting (all is disabled) and enable those apps that need ethernet. For system services it is much more difficult. Is there anything expect the "Download manager" that is required?
I found that Aurora is not working without "network stack".
There is one superservice with uid 1000, that contains a lot of stuff. Does it need ethernet connection?
Any other settings that are not obviously, but should be set?
Is there some kind of howto for beginners? Anything to be set in binary/experimental/security section.

Above was mentioned GPS. It is ok just to download the (anonymous) AGPS data, but which services does it? There are several services that seems to have GPS in its name.

--

What is really bad (at least for my Samsung): There is a service com.samsung.android.kgclient - which is in AWFall listed (very anonymous) as "device services". It can't be uninstalled and blocking it causes high load.
So it seems that services knows there is a ethernet connection and forces to connect. Is there a way of faking "no ethernet available" to it?
The FAQ is ideally where you want to go right now, that IS the HOWTO for beginners.
Also, we need to know your device to even begin helping you, many phones work perfectly fine with EVERYTHING except wanted apps blocked.
 

starbright_

Senior Member
Apr 11, 2010
1,313
217
I played with Aurora - store, could login after enabled Network stack. But I couldn't download anything. Enabling Download manager doesn't help. I see some blocks of 11 (kernel) and ICMP and mdns. But even after enabling 11/kernel and mdns I see still some ICMP 11 block messages?!? And it doesn't download.

I disabled/enabled Wifi but behaviour keeps same.
 

eriol1

Senior Member
Feb 16, 2015
177
119
I played with Aurora - store, could login after enabled Network stack. But I couldn't download anything. Enabling Download manager doesn't help. I see some blocks of 11 (kernel) and ICMP and mdns. But even after enabling 11/kernel and mdns I see still some ICMP 11 block messages?!? And it doesn't download.

I disabled/enabled Wifi but behaviour keeps same.
Maybe try recording traffic with tcpdump? Should allow you to see what exactly the flow looks like and what requests aren't getting through but should
 

SilentDevGuy

Senior Member
Feb 10, 2021
81
21
I played with Aurora - store, could login after enabled Network stack. But I couldn't download anything. Enabling Download manager doesn't help. I see some blocks of 11 (kernel) and ICMP and mdns. But even after enabling 11/kernel and mdns I see still some ICMP 11 block messages?!? And it doesn't download.

I disabled/enabled Wifi but behaviour keeps same.
Before using tcpdump which theorhetically shouldnt give you any more information on blocked requests then the afwall log should, you should tell us what device you are using or at least the rom i.e. OneUI or OxygenOS. Without knowing at least that much I cant debug if its your device or afwall causing the issue. Also, ON SOME DEVICES aurora store will not work if google play services are blocked, start there and get back too me.

Edit: This is precisely why Ukanth requested the issue raised on github with logs provided, further information is neccasary
 

ukanth

Recognized Developer
Nov 30, 2010
1,517
5,240
Nexus 7 (2013)
OnePlus X
Hello all,

I have fixed the logging issue for both LOG/NFLOG chains. Instead of using toasts, I have been thinking of using notification to show the denied requests. Adding this to notification bar helps in enabling more features like giving excemption for an app or even show allowed requests as well.

Wanted to get community inputs on this.
 

IronTechmonkey

Recognized Contributor
Feb 12, 2013
7,893
11,436
Hello all,

I have fixed the logging issue for both LOG/NFLOG chains. Instead of using toasts, I have been thinking of using notification to show the denied requests. Adding this to notification bar helps in enabling more features like giving excemption for an app or even show allowed requests as well.

Wanted to get community inputs on this.

+1 to the added functionality available through the notification...

... as long as it does not get bogged down when apps create rapid and persistent notifications, in some cases up to many per second for several minutes.
 
  • Like
Reactions: sabei

Top Liked Posts

  • 1
    I have a very frustrating problem. I have everything Google blocked in AFWall+ 3.5.2 Donate version, including Play Store, Framework, etc. I unblock them rarely, like when I need to update maps. Regardless every so often during the month and against my wishes Google will reach out and inform me of updates. And even thought I have autoupdates disabled, it will occasionally autoupdate a Google app.

    I tried freezing Google Play Store but some of my apps won't work when I do that.

    I have LOS 14.1 installed. Just how is Google accessing the internet and how do I stop it?
    EDITED: Changed "during the day" to "during the month".
    That seems google's fault.

    As a workaround you can try disabling the autoupdated app (google app). I had experienced it on my 2 devices, that's the only solution that I know so far.
  • 5
    So, should we use post-fs-data mode, or is this too risky that it could lockup the device is something is wrong?
    At the moment i'm using the post-fs-data.d option. It may take a bit longer to start.
    While i do get errors occasionally, mainly with applying rules, it still blocks connection to apps. I don't think it's due the startup configuration ( check Github as other people have issues to ).
    My startup is also due to the other crap on my phone as well, and mainly needs time to settle down so to speak.
    Also looking back on this post not every has the same options. @Uluru25 has service.d option only, while i don't have his device but @EEngineer has completely different options.
    As to what option to use it will be up to you but the magisk guide does recommend using service.d option in most cases.

    5
    Wow - so apps can get internet access for around a minute right after bootup (before afwall can apply the rules).
    yes they cld and thats all some apps need so as to send info home but the simplest way around that is to turn off mobile internet as well as wifi before reboot and wait about a minute after boot for the firewall to have started before reconnecting internet access :)
    3
    I have two entries for that option - which one should I select?
    I'v got the same entries as well. It got me wondering what the two are.
    Came across this for the for the two options and what they mean.

    • post-fs-data mode
      • This stage is BLOCKING. The boot process is paused before execution is done, or 10 seconds have passed.
      • Scripts run before any modules are mounted. This allows a module developer to dynamically adjust their modules before it gets mounted.
      • This stage happens before Zygote is started, which pretty much means everything in Android
      • Run scripts in this mode only if necessary!
    • late_start service mode ( service.d )
      • This stage is NON-BLOCKING. Your script runs in parallel along with the booting process.
      • This is the recommended stage to run most scripts!
    This is taken from the Magisk guide

    2
    Wow - so apps can get internet access for around a minute right after bootup (before afwall can apply the rules).
    That could be the case, I don't know because I haven't used AFWall for years so I don't know how and when it applies the rules.
    My answer is from a general Linux knowledge point of view. ;)
    2
    yes they cld and thats all some apps need so as to send info home but the simplest way around that is to turn off mobile internet as well as wifi before reboot and wait about a minute after boot for the firewall to have started before reconnecting internet access :)
    I have AFWall+ and before I reboot or shut down my phone (which is at least once a week) I put my phone in airplane mode first.

    I also have "Fix startup data leak" greyed out, and I have both int.d and SU installed. What's the deal?
  • 384
    Welcome to official support page for AFWall+

    Disclaimer - As Usual. I'll not take any responsible if something goes wrong when using AFWall+

    Introduction
    AFWall+ is an improved version of DroidWall(front-end application for the powerful iptables Linux firewall). It allows you to restrict which applications are permitted to access your data networks (2G/3G/4G/LTE and/or Wi-Fi and while in roaming).Since the original author of Droidwall
    discontinued the project, I decided to keep the app instead of Avast Firewall. I'll continue to add more features as I can.


    Features
    - Supports 5.x to 11.x
    - Import/Export Rules to external storage
    - Search Applications
    - Multiple Profiles with custom names
    - Tasker/Locale support
    - Select All/None/Invert/Clear applications with single click
    - Revamped Rules/Logs Viewer with copy/export to external storage
    - Ability to view the network interfaces
    - Highlight system applications with custom color
    - Notify on new installations
    - Ability to hide application icons( faster loading )
    - Use LockPattern for application protection.
    - Show/Hide application ID.
    - Roaming Control for 3G/Edge
    - VPN Control
    - LAN Control
    - Tether Control
    - IPV6 Control
    - Tor Control
    - Choose able languages
    - Choose able iptables/busybox binary
    - Supports MIPS/x86/ARM
    - DNS Hostname

    Changelog - See third Post
    Current Version - 3.5.2

    To get Unlocker without Google services - Please follow the instructions here

    AFWall+ BETA Program
    1) AFWall+ opt-in for beta program
    2) Install AFWall+ and If you have any issues, just send email from (Menu -> Firewall Rules - > Send error report)

    Source Code/Wiki/FAQ
    AFWall+ is an free & opensource application
    Github
    Log an issue
    Frequently Asked Questions
    Many Thanks to @CHEF-KOCH

    Translations
    Translations - Please help me with translations in your language.
    http://crowdin.net/project/afwall

    Thanks To/Credits
    - German translations by [email protected] & [email protected] & [email protected]
    - French translations by [email protected] & [email protected]
    - Russian translations by [email protected] & YaroslavKa78
    - Spanish translations by [email protected]
    - Dutch translations by [email protected]
    - Japanese translation by [email protected]
    - Ukrainian translation by [email protected]
    - Slovenian translation by bunga [email protected]
    - Chinese Simplified translation by [email protected]
    - Polish translations by tst,Piotr [email protected]
    - Swedish translations by [email protected]
    - Greek Translations by [email protected]
    - Portuguese translations by [email protected]
    - Chinese Traditional by [email protected]
    - Chinese Simplified by wuwufei,tianchaoren @ crowdin
    - Italian translations by [email protected]
    - Romanian tranlations by [email protected]
    - Czech translations by Syk3s

    Cheers,
    ukanth

    XDA:DevDB Information
    AFWall+ [ IPTables Firewall ], App for the Android General

    Contributors
    ukanth
    Source Code: https://github.com/ukanth/afwall


    Version Information
    Status:
    Stable
    Current Stable Version: 3.4.0
    Stable Release Date: 2020-02-09
    Current Beta Version: 3.5.0-BETA1
    Beta Release Date: 2020-09-05

    Created 2013-12-03
    Last Updated 2020-09-05
    70
    Version 3.0.1

    * Fix: Status toggle widget 1x1
    * Fix: Ability to hide ongoing notification (Stop firewall and restart to hide after disable it in preferences)
    * Fix: Firewall error notification on oreo and above
    * Security: Tile toggle checks for password
    * User reported crashes
    * Updated translations

    Previous version 3.0.0

    Features:
    * Better support for nougat/oreo and pie.
    * Firewall toggle tile
    * Adaptive Icons
    * Notification channels
    * Tor support

    Bugs:
    * General bug fixes and crash reports.
    * Language selection bug
    * Filter selection bug
    * Compatible with magisk 17.x
    * Better handling of background process
    * Drops support for 4.x devices
    * Update languages
    * Updated libraries

    Complete Changelog

    41
    Hello All,

    After careful analysis and testing, I decided not to rewrite the way rules are being applied due to lot of under hood changes required. Instead added few enhancements. Now applying rules from menu will show how many rules are getting applied with progress status. Also when adding/removing few rules , it will apply only those related rules instead of full apply.

    Also fixed couple of bugs and enhancements. You can get the full changelog from https://github.com/ukanth/afwall/blob/beta/Changelog.md

    This is BETA Version which is not released on playstore. I have been using this for past week and it's stable. But there might be bugs which I haven't encountered. Please test it and report it in case of any issues.

    Also I have been following XPrivacy thread on the decision by it's author. Just as FYI, I might fix it for my own usage when I update to nougat, I will share it here if anybody uses it here.

    BETA Link - https://www.dropbox.com/s/isvi413qyx6vb4d/AFWall+ 2.9.7-BETA-TESTER.apk?dl=0
    40
    Hello everyone,

    I have released 3.0.0 stable on playstore today. It's been a crazy month so far. After going through lot of dilemma of whether to support the existing afwall or write a new one from scratch, finally able to pull myself and release stable version of afwall with lots of bug fixes and new features along with pie support. Since I don't do full time Android development, it was hard to keep track of what's going on with sdk level changes.

    Thank you all for your support in AFWall+ development. Without your support it would simply not possible to pull through this.

    I will be out for couple of days ( taking off to spend time with my family ) and hopefully will be able to reply to questions once back.

    Thanks again and have a great day.
    35
    Hello everyone,

    I have released stable version of 3.1.0 to playstore and github. Its live on playstore. You can find the changelog along with md5/sha here

    https://github.com/ukanth/afwall/releases/tag/v3.1.0

    Thank you all for your continuous support in AFWall+ development.