[5.0+][ROOT][3.5.2] AFWall+ IPTables Firewall [16 May 2021]

Search This thread

ukanth

Recognized Developer
Nov 30, 2010
1,517
5,239
Nexus 7 (2013)
OnePlus X
+1 to the added functionality available through the notification...

... as long as it does not get bogged down when apps create rapid and persistent notifications, in some cases up to many per second for several minutes.
I was thinking more on removing toast functionality and introduce only notification based ?
 

IronTechmonkey

Recognized Contributor
Feb 12, 2013
7,785
11,098
I was thinking more on removing toast functionality and introduce only notification based ?

Yep. I understood that and am all in for using notification instead toasts. I was just thinking of a past issue where frequent block toasts would cause an FC and am now wondering how the notification would handle that. Perhaps even better than toasts. I'm looking forward to testing - and know of a few misbehaving apps to throw at it. :)
 
Last edited:
  • Like
Reactions: ukanth

starbright_

Senior Member
Apr 11, 2010
1,301
212
I kindly ask for help. I would like to get rid of usb cable for transfer data PC<->phone. Either by running a ssh server on phone or by wireless adb.
It seems not enough to enable adb in FW as it seems to block traffic that is initiated from outside (that how it looks like, right?).
Please: can someone explain how and what to set to open a port for this?
I am a noob with rules - so can you give me some guidance. Thank you.
 

starbright_

Senior Member
Apr 11, 2010
1,301
212
Maybe I didn't understand the concept of LAN and Wifi. (I though LAN is cable). Does it mean an app that is only allowed LAN can not send data out of local network? Does it mean that usage of AirDroid as example (for exchange fotos and music betwwen PC and phone) is save - as all data keep in local wifi network, an can't send to some external servers?
 
Last edited:

SilentDevGuy

Senior Member
  • Feb 10, 2021
    71
    21
    Hello all,

    I have fixed the logging issue for both LOG/NFLOG chains. Instead of using toasts, I have been thinking of using notification to show the denied requests. Adding this to notification bar helps in enabling more features like giving excemption for an app or even show allowed requests as well.

    Wanted to get community inputs on this.
    Sounds like a great idea
     
    • Like
    Reactions: IronTechmonkey

    ukanth

    Recognized Developer
    Nov 30, 2010
    1,517
    5,239
    Nexus 7 (2013)
    OnePlus X
    Maybe I didn't understand the concept of LAN and Wifi. (I though LAN is cable). Does it mean an app that is only allowed LAN can not send data out of local network? Does it mean that usage of AirDroid as example (for exchange fotos and music betwwen PC and phone) is save - as all data keep in local wifi network, an can't send to some external servers?
    That's correct. Only local network traffic allowed. For discovery of devices, you may need to enable "mDNS" from list.
     

    starbright_

    Senior Member
    Apr 11, 2010
    1,301
    212
    You need to disable Captive Portal using adb. https://github.com/ukanth/afwall/wiki/FAQ (#61)

    I have to test that, but @savelbys ( https://forum.xda-developers.com/m/savelbys.10610043/) reportetd that it doesn't help. But mybe he not followed that link: https://github.com/ukanth/afwall/issues/761

    Also I found that enable just "portal capture" is not enough. I have to add "network stack" to the whitelist to get rid of that. Even more - you can keep "captive portal" on blacklist - just enable "network stack" is enought (LOS 18/A 11).

    Even more important (as you might ignore that Wifi reports no connection):
    I had problems that notifications by messengers do not fire. Obviously they need that setting too. So please take that into account if maybe other might run into same problem.
    I have to do further test to find our whether there might be another workaround.
     
    Last edited:
    • Like
    Reactions: ukanth

    urgali

    Senior Member
    Jun 23, 2015
    548
    339
    OnePlus One
    OnePlus 2
    • Like
    Reactions: ukanth

    mustardseeds

    Member
    Jan 10, 2021
    9
    1
    For some reason it just doesn't work sometimes. As a test I checked off all the boxes for firefox, applied the rules, restarted the phone, but I still can browse web pages. Yes "block selected" is selected and yes the firewall is enabled.

    This only happens when I'm connected to VPN, which is most of the time. I thought AFwall was supposed to be able to work with VPN?
     

    ukanth

    Recognized Developer
    Nov 30, 2010
    1,517
    5,239
    Nexus 7 (2013)
    OnePlus X
    Hello all,

    Here is the PREBETA version of 3.5.0 with lots of fixes. It should be compatible with Private DNS (you may need to reapply the rules manually for now - I will fix this behaviour) along with support for android 10,11.

    Firewall logs logic has been rewritten and I have been testing it for a week. You may need to disable battery optimization for AFWall+
    I have not added that check in the LogService.


    As usual, kindly test it and raise any issues on github.

    Issues/fixes for 3.5.0 -> https://github.com/ukanth/afwall/issues?q=is:open+is:issue+milestone:3.5.0
     

    Attachments

    • AFWall_3.5.0-PREBETA-2.apk
      13.7 MB · Views: 93

    IronTechmonkey

    Recognized Contributor
    Feb 12, 2013
    7,785
    11,098
    Hello all,

    Here is the PREBETA version of 3.5.0 with lots of fixes. It should be compatible with Private DNS (you may need to reapply the rules manually for now - I will fix this behaviour) along with support for android 10,11.

    Firewall logs logic has been rewritten and I have been testing it for a week. You may need to disable battery optimization for AFWall+
    I have not added that check in the LogService.


    As usual, kindly test it and raise any issues on github.

    Issues/fixes for 3.5.0 -> https://github.com/ukanth/afwall/issues?q=is:eek:pen+is:issue+milestone:3.5.0

    Feedback from Android 8.2/LOS 15.1 w/Magisk, clean install of AFwall+ pre-beta then import of rules and settings, then review of settings:

    - Notifications for block messages is IMO a smoother experience now, more visualy consistent than were toasts of different sizes, and now interactive - providing a path to the login the app. Nicely implemented.

    - After installation then import of settings and review of settings there was no logging but after force closing then restarting the app the logging and notification seemed to function okay. When I check other devices I'll test an Afwall+ upgrade in place to see if logging and persists in that case.

    - Most important to my usage case, after a reboot the logging started on its own without having to be toggled in the app. Wahoo!

    - Less important to my usage case but a challenging test nonetheless, is the intense barrage of network requests thrown at the firewall by MX Player. The logging and network notification did not get overwhelmed and was therefore able to block and notify about Network request made by MX Player up to a minute after the app was closed and swipe from recents.

    It should be noted that I'm testing on a device with robust specifications which would be less prone to the effect intense activity.(FCs) After a day or so I'll try to test on a less powerful device.

    Looking good so far.
    Thanks!
     

    n0j0e

    Senior Member
  • Tried the new pre-beta on LOS18.1 (crDroid 7.3, A11) with a fresh install of AFWall.

    If i trying to import the settings/rules from previous 3.4.0 i get denied read permission rule toast and there is no permission i can allow it in Android app settings. The wired thing is i can export rules. 😁

    Also activation of the Firewall didn't work. root permission allowed with Magisk 22. Set also LSPosed module active with several reboots..

    Sry no time for logs.. give it later at day.
     

    savelbys

    Member
    Mar 9, 2020
    34
    9
    su
    setenforce 0
    settings put global captive_portal_mode 0
    setenforce 1
    --------------------------------------------------------------------------------------------------------------------------------
    if it still does not work

    in terminal/shell/adb (try all)

    adb shell 'settings put global captive_portal_detection_enabled 0'
    adb shell 'settings put global captive_portal_server localhost'
    adb shell 'settings put global captive_portal_mode 0'

    su
    settings put global captive_portal_detection_enabled 0
    settings put global captive_portal_server localhost
    settings put global captive_portal_mode 0

    su
    su
    pm disable com.android.captiveportallogin
    reboot
    --------------------------------------------------------------------------------------------------------------------------------
    if it still does not work

    Customscript at . /data/local/disablecaptiveportal.sh with

    #disable Captive Portal

    settings put global captive_portal_detection_enabled 0
    settings put global captive_portal_server localhost
    settings put global captive_portal_mode 0

    settings put global captive_portal_mode_ignore 1
    --------------------------------------------------------------------------------------------------------------------------------
    if it still does not work change to that in the custom script

    $IPTABLES -A "afwall" -p udp --dport 53 -j ACCEPT
    --------------------------------------------------------------------------------------------------------------------------------
    if it still does not work

    activate [10141] CaptivePortal in AFWall+
    --------------------------------------------------------------------------------------------------------------------------------
    if it still does not work

    activate [-11] Linux kernel in AFWall+, check and then

    [1073] Tethering, Cell Broadcast Service, Network manager, com.android.server.NetworkPermissionConfig in AFWall+
    --------------------------------------------------------------------------------------------------------------------------------
    when everything does not work, this will work

    activate Network Stack, if that is not enough [1000] Android System, Advanced Settings, Setup Wizard in AFWall+
    --------------------------------------------------------------------------------------------------------------------------------
     
    Last edited:

    starbright_

    Senior Member
    Apr 11, 2010
    1,301
    212
    I have not been able to make a script on my sd-card or internal card executable. Even with adb and root. There must be a change in LOS18/A11 over 17/A10.

    Anyone knows how to handle that?
     
    Last edited:
    • Like
    Reactions: ukanth

    Top Liked Posts

    • There are no posts matching your filters.
    • 3
      I know you mentioned that you would try to fix this issue in 3.5.2, but I did not see a clear confirmation if it was.

      So was this issue fixed in 3.5.2?

      https://github.com/ukanth/afwall/issues/1207 "[ISSUE] After turning off log service, it continues to generate block notifications #1207"
      Yes. that's fixed in 3.5.2
      3
      @ukanth Might I ask if there is an answer and/or an update to this issue in 3.5.2? I downgraded to 3.4.0 again since I had the impression some apps were able to get around my VPN DNS with 3.5.0 and DNS via netd not disabled. (apps with root access have full internet access allowed on my device in both cases)
      In 3.5.x along with UDP, tcp also blocked for port 53 if you disable dns via netd. That was the only change.
      3
      What just happened ukanth?
      Tried to upgrade from v3.5.2 to v3.5.2.1 from F-Droid.
      This completely f... up AFWall, lost config and rules, app crashes all the time.
      So I decided to delete cache, storage, remove device admin and unistall the app.
      Reboot the OP8P (on crDroid v7.6 A11) and freshly installed v3.5.2, set rules & config manually.
      And now it's blazingly fast!!! (y) Which is good for sure! Applying ~180 rules takes less then a second now. Took ~30s before with frequent app crashes. And all the errors I've described above are gone!

      Only thing I need now is init.d or something to enable pre-boot protection. As I'm using root with Magisk v23, any ideas how to get pre-boot / startup protection activated?

      And still cannot update to v3.5.2.1... No Play store installed.
      Afaik v 3.5.2 & 3.5.1 are not available on f-droid, the latest there is v 3.5.2.1 & before it is v 3.5.0.
      For using magisk you need to choose "startup directory path for script" & tick "fix startup data leak" in preferences>experimental
      1
      lost all my rules & settings after updating to 3.5.2 :(
      1
      lost all my rules & settings after updating to 3.5.2 :(
      Rules will be under /emularor/0/sdcard/afwall. You may have to navigate up in the folder.
    • 383
      Welcome to official support page for AFWall+

      Disclaimer - As Usual. I'll not take any responsible if something goes wrong when using AFWall+

      Introduction
      AFWall+ is an improved version of DroidWall(front-end application for the powerful iptables Linux firewall). It allows you to restrict which applications are permitted to access your data networks (2G/3G/4G/LTE and/or Wi-Fi and while in roaming).Since the original author of Droidwall
      discontinued the project, I decided to keep the app instead of Avast Firewall. I'll continue to add more features as I can.


      Features
      - Supports 5.x to 11.x
      - Import/Export Rules to external storage
      - Search Applications
      - Multiple Profiles with custom names
      - Tasker/Locale support
      - Select All/None/Invert/Clear applications with single click
      - Revamped Rules/Logs Viewer with copy/export to external storage
      - Ability to view the network interfaces
      - Highlight system applications with custom color
      - Notify on new installations
      - Ability to hide application icons( faster loading )
      - Use LockPattern for application protection.
      - Show/Hide application ID.
      - Roaming Control for 3G/Edge
      - VPN Control
      - LAN Control
      - Tether Control
      - IPV6 Control
      - Tor Control
      - Choose able languages
      - Choose able iptables/busybox binary
      - Supports MIPS/x86/ARM
      - DNS Hostname

      Changelog - See third Post
      Current Version - 3.5.2

      To get Unlocker without Google services - Please follow the instructions here

      AFWall+ BETA Program
      1) AFWall+ opt-in for beta program
      2) Install AFWall+ and If you have any issues, just send email from (Menu -> Firewall Rules - > Send error report)

      Source Code/Wiki/FAQ
      AFWall+ is an free & opensource application
      Github
      Log an issue
      Frequently Asked Questions
      Many Thanks to @CHEF-KOCH

      Translations
      Translations - Please help me with translations in your language.
      http://crowdin.net/project/afwall

      Thanks To/Credits
      - German translations by [email protected] & [email protected] & [email protected]
      - French translations by [email protected] & [email protected]
      - Russian translations by [email protected] & YaroslavKa78
      - Spanish translations by [email protected]
      - Dutch translations by [email protected]
      - Japanese translation by [email protected]
      - Ukrainian translation by [email protected]
      - Slovenian translation by bunga [email protected]
      - Chinese Simplified translation by [email protected]
      - Polish translations by tst,Piotr [email protected]
      - Swedish translations by [email protected]
      - Greek Translations by [email protected]
      - Portuguese translations by [email protected]
      - Chinese Traditional by [email protected]
      - Chinese Simplified by wuwufei,tianchaoren @ crowdin
      - Italian translations by [email protected]
      - Romanian tranlations by [email protected]
      - Czech translations by Syk3s

      Cheers,
      ukanth

      XDA:DevDB Information
      AFWall+ [ IPTables Firewall ], App for the Android General

      Contributors
      ukanth
      Source Code: https://github.com/ukanth/afwall


      Version Information
      Status:
      Stable
      Current Stable Version: 3.4.0
      Stable Release Date: 2020-02-09
      Current Beta Version: 3.5.0-BETA1
      Beta Release Date: 2020-09-05

      Created 2013-12-03
      Last Updated 2020-09-05
      70
      Version 3.0.1

      * Fix: Status toggle widget 1x1
      * Fix: Ability to hide ongoing notification (Stop firewall and restart to hide after disable it in preferences)
      * Fix: Firewall error notification on oreo and above
      * Security: Tile toggle checks for password
      * User reported crashes
      * Updated translations

      Previous version 3.0.0

      Features:
      * Better support for nougat/oreo and pie.
      * Firewall toggle tile
      * Adaptive Icons
      * Notification channels
      * Tor support

      Bugs:
      * General bug fixes and crash reports.
      * Language selection bug
      * Filter selection bug
      * Compatible with magisk 17.x
      * Better handling of background process
      * Drops support for 4.x devices
      * Update languages
      * Updated libraries

      Complete Changelog

      41
      Hello All,

      After careful analysis and testing, I decided not to rewrite the way rules are being applied due to lot of under hood changes required. Instead added few enhancements. Now applying rules from menu will show how many rules are getting applied with progress status. Also when adding/removing few rules , it will apply only those related rules instead of full apply.

      Also fixed couple of bugs and enhancements. You can get the full changelog from https://github.com/ukanth/afwall/blob/beta/Changelog.md

      This is BETA Version which is not released on playstore. I have been using this for past week and it's stable. But there might be bugs which I haven't encountered. Please test it and report it in case of any issues.

      Also I have been following XPrivacy thread on the decision by it's author. Just as FYI, I might fix it for my own usage when I update to nougat, I will share it here if anybody uses it here.

      BETA Link - https://www.dropbox.com/s/isvi413qyx6vb4d/AFWall+ 2.9.7-BETA-TESTER.apk?dl=0
      40
      Hello everyone,

      I have released 3.0.0 stable on playstore today. It's been a crazy month so far. After going through lot of dilemma of whether to support the existing afwall or write a new one from scratch, finally able to pull myself and release stable version of afwall with lots of bug fixes and new features along with pie support. Since I don't do full time Android development, it was hard to keep track of what's going on with sdk level changes.

      Thank you all for your support in AFWall+ development. Without your support it would simply not possible to pull through this.

      I will be out for couple of days ( taking off to spend time with my family ) and hopefully will be able to reply to questions once back.

      Thanks again and have a great day.
      35
      Hello everyone,

      I have released stable version of 3.1.0 to playstore and github. Its live on playstore. You can find the changelog along with md5/sha here

      https://github.com/ukanth/afwall/releases/tag/v3.1.0

      Thank you all for your continuous support in AFWall+ development.
    Our Apps
    Get our official app!
    The best way to access XDA on your phone
    Nav Gestures
    Add swipe gestures to any Android
    One Handed Mode
    Eases uses one hand with your phone