• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!
  • Fill out your device list and let everyone know which phones you have!    Edit Your Device Inventory

[5.0+][ROOT][3.5.2] AFWall+ IPTables Firewall [16 May 2021]

Search This thread

ukanth

Recognized Developer
Nov 30, 2010
1,517
5,240
Nexus 7 (2013)
OnePlus X
+1 to the added functionality available through the notification...

... as long as it does not get bogged down when apps create rapid and persistent notifications, in some cases up to many per second for several minutes.
I was thinking more on removing toast functionality and introduce only notification based ?
 

IronTechmonkey

Recognized Contributor
Feb 12, 2013
7,888
11,416
I was thinking more on removing toast functionality and introduce only notification based ?

Yep. I understood that and am all in for using notification instead toasts. I was just thinking of a past issue where frequent block toasts would cause an FC and am now wondering how the notification would handle that. Perhaps even better than toasts. I'm looking forward to testing - and know of a few misbehaving apps to throw at it. :)
 
Last edited:
  • Like
Reactions: ukanth

starbright_

Senior Member
Apr 11, 2010
1,313
217
I kindly ask for help. I would like to get rid of usb cable for transfer data PC<->phone. Either by running a ssh server on phone or by wireless adb.
It seems not enough to enable adb in FW as it seems to block traffic that is initiated from outside (that how it looks like, right?).
Please: can someone explain how and what to set to open a port for this?
I am a noob with rules - so can you give me some guidance. Thank you.
 

starbright_

Senior Member
Apr 11, 2010
1,313
217
Maybe I didn't understand the concept of LAN and Wifi. (I though LAN is cable). Does it mean an app that is only allowed LAN can not send data out of local network? Does it mean that usage of AirDroid as example (for exchange fotos and music betwwen PC and phone) is save - as all data keep in local wifi network, an can't send to some external servers?
 
Last edited:

SilentDevGuy

Senior Member
Feb 10, 2021
81
21
Hello all,

I have fixed the logging issue for both LOG/NFLOG chains. Instead of using toasts, I have been thinking of using notification to show the denied requests. Adding this to notification bar helps in enabling more features like giving excemption for an app or even show allowed requests as well.

Wanted to get community inputs on this.
Sounds like a great idea
 
  • Like
Reactions: IronTechmonkey

ukanth

Recognized Developer
Nov 30, 2010
1,517
5,240
Nexus 7 (2013)
OnePlus X
Maybe I didn't understand the concept of LAN and Wifi. (I though LAN is cable). Does it mean an app that is only allowed LAN can not send data out of local network? Does it mean that usage of AirDroid as example (for exchange fotos and music betwwen PC and phone) is save - as all data keep in local wifi network, an can't send to some external servers?
That's correct. Only local network traffic allowed. For discovery of devices, you may need to enable "mDNS" from list.
 

starbright_

Senior Member
Apr 11, 2010
1,313
217
You need to disable Captive Portal using adb. https://github.com/ukanth/afwall/wiki/FAQ (#61)

I have to test that, but @savelbys ( https://forum.xda-developers.com/m/savelbys.10610043/) reportetd that it doesn't help. But mybe he not followed that link: https://github.com/ukanth/afwall/issues/761

Also I found that enable just "portal capture" is not enough. I have to add "network stack" to the whitelist to get rid of that. Even more - you can keep "captive portal" on blacklist - just enable "network stack" is enought (LOS 18/A 11).

Even more important (as you might ignore that Wifi reports no connection):
I had problems that notifications by messengers do not fire. Obviously they need that setting too. So please take that into account if maybe other might run into same problem.
I have to do further test to find our whether there might be another workaround.
 
Last edited:
  • Like
Reactions: ukanth

urgali

Senior Member
Jun 23, 2015
550
340
OnePlus One
OnePlus 2
  • Like
Reactions: ukanth

mustardseeds

Member
Jan 10, 2021
9
1
For some reason it just doesn't work sometimes. As a test I checked off all the boxes for firefox, applied the rules, restarted the phone, but I still can browse web pages. Yes "block selected" is selected and yes the firewall is enabled.

This only happens when I'm connected to VPN, which is most of the time. I thought AFwall was supposed to be able to work with VPN?
 

ukanth

Recognized Developer
Nov 30, 2010
1,517
5,240
Nexus 7 (2013)
OnePlus X
Hello all,

Here is the PREBETA version of 3.5.0 with lots of fixes. It should be compatible with Private DNS (you may need to reapply the rules manually for now - I will fix this behaviour) along with support for android 10,11.

Firewall logs logic has been rewritten and I have been testing it for a week. You may need to disable battery optimization for AFWall+
I have not added that check in the LogService.


As usual, kindly test it and raise any issues on github.

Issues/fixes for 3.5.0 -> https://github.com/ukanth/afwall/issues?q=is:open+is:issue+milestone:3.5.0
 

Attachments

  • AFWall_3.5.0-PREBETA-2.apk
    13.7 MB · Views: 96

IronTechmonkey

Recognized Contributor
Feb 12, 2013
7,888
11,416
Hello all,

Here is the PREBETA version of 3.5.0 with lots of fixes. It should be compatible with Private DNS (you may need to reapply the rules manually for now - I will fix this behaviour) along with support for android 10,11.

Firewall logs logic has been rewritten and I have been testing it for a week. You may need to disable battery optimization for AFWall+
I have not added that check in the LogService.


As usual, kindly test it and raise any issues on github.

Issues/fixes for 3.5.0 -> https://github.com/ukanth/afwall/issues?q=is:eek:pen+is:issue+milestone:3.5.0

Feedback from Android 8.2/LOS 15.1 w/Magisk, clean install of AFwall+ pre-beta then import of rules and settings, then review of settings:

- Notifications for block messages is IMO a smoother experience now, more visualy consistent than were toasts of different sizes, and now interactive - providing a path to the login the app. Nicely implemented.

- After installation then import of settings and review of settings there was no logging but after force closing then restarting the app the logging and notification seemed to function okay. When I check other devices I'll test an Afwall+ upgrade in place to see if logging and persists in that case.

- Most important to my usage case, after a reboot the logging started on its own without having to be toggled in the app. Wahoo!

- Less important to my usage case but a challenging test nonetheless, is the intense barrage of network requests thrown at the firewall by MX Player. The logging and network notification did not get overwhelmed and was therefore able to block and notify about Network request made by MX Player up to a minute after the app was closed and swipe from recents.

It should be noted that I'm testing on a device with robust specifications which would be less prone to the effect intense activity.(FCs) After a day or so I'll try to test on a less powerful device.

Looking good so far.
Thanks!
 

n0j0e

Senior Member
Tried the new pre-beta on LOS18.1 (crDroid 7.3, A11) with a fresh install of AFWall.

If i trying to import the settings/rules from previous 3.4.0 i get denied read permission rule toast and there is no permission i can allow it in Android app settings. The wired thing is i can export rules. 😁

Also activation of the Firewall didn't work. root permission allowed with Magisk 22. Set also LSPosed module active with several reboots..

Sry no time for logs.. give it later at day.
 

savelbys

Member
Mar 9, 2020
34
9
su
setenforce 0
settings put global captive_portal_mode 0
setenforce 1
--------------------------------------------------------------------------------------------------------------------------------
if it still does not work

in terminal/shell/adb (try all)

adb shell 'settings put global captive_portal_detection_enabled 0'
adb shell 'settings put global captive_portal_server localhost'
adb shell 'settings put global captive_portal_mode 0'

su
settings put global captive_portal_detection_enabled 0
settings put global captive_portal_server localhost
settings put global captive_portal_mode 0

su
su
pm disable com.android.captiveportallogin
reboot
--------------------------------------------------------------------------------------------------------------------------------
if it still does not work

Customscript at . /data/local/disablecaptiveportal.sh with

#disable Captive Portal

settings put global captive_portal_detection_enabled 0
settings put global captive_portal_server localhost
settings put global captive_portal_mode 0

settings put global captive_portal_mode_ignore 1
--------------------------------------------------------------------------------------------------------------------------------
if it still does not work change to that in the custom script

$IPTABLES -A "afwall" -p udp --dport 53 -j ACCEPT
--------------------------------------------------------------------------------------------------------------------------------
if it still does not work

activate [10141] CaptivePortal in AFWall+
--------------------------------------------------------------------------------------------------------------------------------
if it still does not work

activate [-11] Linux kernel in AFWall+, check and then

[1073] Tethering, Cell Broadcast Service, Network manager, com.android.server.NetworkPermissionConfig in AFWall+
--------------------------------------------------------------------------------------------------------------------------------
when everything does not work, this will work

activate Network Stack, if that is not enough [1000] Android System, Advanced Settings, Setup Wizard in AFWall+
--------------------------------------------------------------------------------------------------------------------------------
 
Last edited:

starbright_

Senior Member
Apr 11, 2010
1,313
217
I have not been able to make a script on my sd-card or internal card executable. Even with adb and root. There must be a change in LOS18/A11 over 17/A10.

Anyone knows how to handle that?
 
Last edited:
  • Like
Reactions: ukanth

Top Liked Posts

  • 2
    I have two entries for that option - which one should I select?
    I'v got the same entries as well. It got me wondering what the two are.
    Came across this for the for the two options and what they mean.

    • post-fs-data mode
      • This stage is BLOCKING. The boot process is paused before execution is done, or 10 seconds have passed.
      • Scripts run before any modules are mounted. This allows a module developer to dynamically adjust their modules before it gets mounted.
      • This stage happens before Zygote is started, which pretty much means everything in Android
      • Run scripts in this mode only if necessary!
    • late_start service mode ( service.d )
      • This stage is NON-BLOCKING. Your script runs in parallel along with the booting process.
      • This is the recommended stage to run most scripts!
    This is taken from the Magisk guide

    2
    So, should we use post-fs-data mode, or is this too risky that it could lockup the device is something is wrong?
    At the moment i'm using the post-fs-data.d option. It may take a bit longer to start.
    While i do get errors occasionally, mainly with applying rules, it still blocks connection to apps. I don't think it's due the startup configuration ( check Github as other people have issues to ).
    My startup is also due to the other crap on my phone as well, and mainly needs time to settle down so to speak.
    Also looking back on this post not every has the same options. @Uluru25 has service.d option only, while i don't have his device but @EEngineer has completely different options.
    As to what option to use it will be up to you but the magisk guide does recommend using service.d option in most cases.

  • 4
    Wow - so apps can get internet access for around a minute right after bootup (before afwall can apply the rules).
    yes they cld and thats all some apps need so as to send info home but the simplest way around that is to turn off mobile internet as well as wifi before reboot and wait about a minute after boot for the firewall to have started before reconnecting internet access :)
    2
    I know this may sound like a newbie question, but I just want to understand how this app works.

    From what I understand, it modifies the "IPTables" which I believe are config files that tell the internal network system how to route data packets.
    No it is not any config files...
    It is the name of the networking functionality of the kernel.
    It's rules are kept in memory and need to be reapplied after each boot.
    2
    I have two entries for that option - which one should I select?
    I'v got the same entries as well. It got me wondering what the two are.
    Came across this for the for the two options and what they mean.

    • post-fs-data mode
      • This stage is BLOCKING. The boot process is paused before execution is done, or 10 seconds have passed.
      • Scripts run before any modules are mounted. This allows a module developer to dynamically adjust their modules before it gets mounted.
      • This stage happens before Zygote is started, which pretty much means everything in Android
      • Run scripts in this mode only if necessary!
    • late_start service mode ( service.d )
      • This stage is NON-BLOCKING. Your script runs in parallel along with the booting process.
      • This is the recommended stage to run most scripts!
    This is taken from the Magisk guide

    1
    I know this may sound like a newbie question, but I just want to understand how this app works.

    From what I understand, it modifies the "IPTables" which I believe are config files that tell the internal network system how to route data packets.

    So, if this app modifies the IPTables files to apply my rules, then why when I reboot my device, it displays "Applying Rules" again on boot up? Meaning, if the IPTables were modified when I last used this app, then I would think these IPTables files would remember their settings in-between boots, so there should be no reason to reapply them after a reboot. So why does this app need to reapply the same rules after a reboot?

    Or is it that any changes to the IPTables are only valid for the current device session, and when the device gets rebooted, the iptables are cleared, and that is why this app needs to reapply them?

    If this second theory is the case, then does that mean that apps (that I blocked in afall) will be able to reach the internet for the first ~30 seconds right when the device is booting up, but before afwall+ has the chance to reapply the rules?
    2
    So, should we use post-fs-data mode, or is this too risky that it could lockup the device is something is wrong?
    At the moment i'm using the post-fs-data.d option. It may take a bit longer to start.
    While i do get errors occasionally, mainly with applying rules, it still blocks connection to apps. I don't think it's due the startup configuration ( check Github as other people have issues to ).
    My startup is also due to the other crap on my phone as well, and mainly needs time to settle down so to speak.
    Also looking back on this post not every has the same options. @Uluru25 has service.d option only, while i don't have his device but @EEngineer has completely different options.
    As to what option to use it will be up to you but the magisk guide does recommend using service.d option in most cases.

  • 384
    Welcome to official support page for AFWall+

    Disclaimer - As Usual. I'll not take any responsible if something goes wrong when using AFWall+

    Introduction
    AFWall+ is an improved version of DroidWall(front-end application for the powerful iptables Linux firewall). It allows you to restrict which applications are permitted to access your data networks (2G/3G/4G/LTE and/or Wi-Fi and while in roaming).Since the original author of Droidwall
    discontinued the project, I decided to keep the app instead of Avast Firewall. I'll continue to add more features as I can.


    Features
    - Supports 5.x to 11.x
    - Import/Export Rules to external storage
    - Search Applications
    - Multiple Profiles with custom names
    - Tasker/Locale support
    - Select All/None/Invert/Clear applications with single click
    - Revamped Rules/Logs Viewer with copy/export to external storage
    - Ability to view the network interfaces
    - Highlight system applications with custom color
    - Notify on new installations
    - Ability to hide application icons( faster loading )
    - Use LockPattern for application protection.
    - Show/Hide application ID.
    - Roaming Control for 3G/Edge
    - VPN Control
    - LAN Control
    - Tether Control
    - IPV6 Control
    - Tor Control
    - Choose able languages
    - Choose able iptables/busybox binary
    - Supports MIPS/x86/ARM
    - DNS Hostname

    Changelog - See third Post
    Current Version - 3.5.2

    To get Unlocker without Google services - Please follow the instructions here

    AFWall+ BETA Program
    1) AFWall+ opt-in for beta program
    2) Install AFWall+ and If you have any issues, just send email from (Menu -> Firewall Rules - > Send error report)

    Source Code/Wiki/FAQ
    AFWall+ is an free & opensource application
    Github
    Log an issue
    Frequently Asked Questions
    Many Thanks to @CHEF-KOCH

    Translations
    Translations - Please help me with translations in your language.
    http://crowdin.net/project/afwall

    Thanks To/Credits
    - German translations by [email protected] & [email protected] & [email protected]
    - French translations by [email protected] & [email protected]
    - Russian translations by [email protected] & YaroslavKa78
    - Spanish translations by [email protected]
    - Dutch translations by [email protected]
    - Japanese translation by [email protected]
    - Ukrainian translation by [email protected]
    - Slovenian translation by bunga [email protected]
    - Chinese Simplified translation by [email protected]
    - Polish translations by tst,Piotr [email protected]
    - Swedish translations by [email protected]
    - Greek Translations by [email protected]
    - Portuguese translations by [email protected]
    - Chinese Traditional by [email protected]
    - Chinese Simplified by wuwufei,tianchaoren @ crowdin
    - Italian translations by [email protected]
    - Romanian tranlations by [email protected]
    - Czech translations by Syk3s

    Cheers,
    ukanth

    XDA:DevDB Information
    AFWall+ [ IPTables Firewall ], App for the Android General

    Contributors
    ukanth
    Source Code: https://github.com/ukanth/afwall


    Version Information
    Status:
    Stable
    Current Stable Version: 3.4.0
    Stable Release Date: 2020-02-09
    Current Beta Version: 3.5.0-BETA1
    Beta Release Date: 2020-09-05

    Created 2013-12-03
    Last Updated 2020-09-05
    70
    Version 3.0.1

    * Fix: Status toggle widget 1x1
    * Fix: Ability to hide ongoing notification (Stop firewall and restart to hide after disable it in preferences)
    * Fix: Firewall error notification on oreo and above
    * Security: Tile toggle checks for password
    * User reported crashes
    * Updated translations

    Previous version 3.0.0

    Features:
    * Better support for nougat/oreo and pie.
    * Firewall toggle tile
    * Adaptive Icons
    * Notification channels
    * Tor support

    Bugs:
    * General bug fixes and crash reports.
    * Language selection bug
    * Filter selection bug
    * Compatible with magisk 17.x
    * Better handling of background process
    * Drops support for 4.x devices
    * Update languages
    * Updated libraries

    Complete Changelog

    41
    Hello All,

    After careful analysis and testing, I decided not to rewrite the way rules are being applied due to lot of under hood changes required. Instead added few enhancements. Now applying rules from menu will show how many rules are getting applied with progress status. Also when adding/removing few rules , it will apply only those related rules instead of full apply.

    Also fixed couple of bugs and enhancements. You can get the full changelog from https://github.com/ukanth/afwall/blob/beta/Changelog.md

    This is BETA Version which is not released on playstore. I have been using this for past week and it's stable. But there might be bugs which I haven't encountered. Please test it and report it in case of any issues.

    Also I have been following XPrivacy thread on the decision by it's author. Just as FYI, I might fix it for my own usage when I update to nougat, I will share it here if anybody uses it here.

    BETA Link - https://www.dropbox.com/s/isvi413qyx6vb4d/AFWall+ 2.9.7-BETA-TESTER.apk?dl=0
    40
    Hello everyone,

    I have released 3.0.0 stable on playstore today. It's been a crazy month so far. After going through lot of dilemma of whether to support the existing afwall or write a new one from scratch, finally able to pull myself and release stable version of afwall with lots of bug fixes and new features along with pie support. Since I don't do full time Android development, it was hard to keep track of what's going on with sdk level changes.

    Thank you all for your support in AFWall+ development. Without your support it would simply not possible to pull through this.

    I will be out for couple of days ( taking off to spend time with my family ) and hopefully will be able to reply to questions once back.

    Thanks again and have a great day.
    35
    Hello everyone,

    I have released stable version of 3.1.0 to playstore and github. Its live on playstore. You can find the changelog along with md5/sha here

    https://github.com/ukanth/afwall/releases/tag/v3.1.0

    Thank you all for your continuous support in AFWall+ development.