• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!
  • Fill out your device list and let everyone know which phones you have!    Edit Your Device Inventory

[5.0+][ROOT][3.5.2] AFWall+ IPTables Firewall [16 May 2021]

Search This thread

urgali

Senior Member
Jun 23, 2015
550
340
OnePlus One
OnePlus 2
I sometimes get an "error applying rules" message. If I apply rules e.g. 10 times in a row half the times it fails. I've seen people mention the log service, for me that doesn't make any difference. Other people have mentioned the same behavior but no conclusion as to what is causing it.
Same issue here actually, I suggest you to report it on git
 
  • Like
Reactions: IronTechmonkey

dolons

Member
Dec 6, 2011
44
7
After version 3.4, NO version works cleanly with Xiaomi Mit9T - Rooted firmware.

Problem:

No VOLTE, HD Voice or Wifi Calling. I restarted the system but after few minutes VOLTE icon disappears and voice quality is much worse than before.
I think the 3.5 -3.5.2 versions now block some port that is responsible for this.
My knowledge is unfortunately too small for this. Can someone tell me what I need to fix so I can use the current version again?
 

FFW

Member
May 24, 2020
44
32
After version 3.4, NO version works cleanly with Xiaomi Mit9T - Rooted firmware.

Problem:

No VOLTE, HD Voice or Wifi Calling. I restarted the system but after few minutes VOLTE icon disappears and voice quality is much worse than before.
I think the 3.5 -3.5.2 versions now block some port that is responsible for this.
My knowledge is unfortunately too small for this. Can someone tell me what I need to fix so I can use the current version again?
Just to check the (by now) obvious: do you happen to have changed the "DNS proxy" setting to "Disable DNS via netd"? If so, you suffer from the same problem that keeps me on 3.4.0...
 
Just to check the (by now) obvious: do you happen to have changed the "DNS proxy" setting to "Disable DNS via netd"? If so, you suffer from the same problem that keeps me on 3.4.0...
IIRC: If you disable DNS via netd you must allow [0](Root) - Apps wirh root permissions.
 

dolons

Member
Dec 6, 2011
44
7
IIRC: If you disable DNS via netd you must allow [0](Root) - Apps wirh root permissions.
Unfortunaly it doesn´t help.

I always activate this 4 parts.
  • [0] (Root) – Apps mit Root-Rechten:
  • [-14] (NTP) – Internet-Zeitserver:
  • [10025] Medienspeicher, Download-Manager MTP-Host[…]:
  • [1016] (VPN) VPN- Netzwerk

I tried it with the 2 more activated Rules.
But it has brought nothing.

[-11] Linux Kernel
[10095] LTE Broadcast Manager
 
  • Like
Reactions: Oswald Boelcke
Aug 3, 2019
34
28
Berlin
  • [0] (Root) – Apps mit Root-Rechten:
  • [-14] (NTP) – Internet-Zeitserver:
  • [10025] Medienspeicher, Download-Manager MTP-Host[…]:
  • [1016] (VPN) VPN- Netzwerk
[-11] Linux Kernel
These permissions work for my phone and tablet on AFWall+ 3.5.2.1 (donate) with DNS-Proxy --> Disable DNS via netd.

Just a guess - what about activating
"[10108] CaptivePortalLogin"?
If I don't misunderstand: You have also got problems with WiFi, haven't you?
 
Last edited:
  • Like
Reactions: FFW

FFW

Member
May 24, 2020
44
32
These permissions work for my phone and tablet on AFWall+ 3.5.2.1 (donate) with DNS-Proxy --> Disable DNS via netd.

Just a guess - what about activating
"[10108] CaptivePortalLogin"?
If I don't misunderstand: You have also got problems with WiFi, haven't you?
I did not have the Linux Kernel permission set, so I tried again with 3.5.2.1 - but it does not help on my LOS17.1 phone. At least, I managed to get the log running (which did not seem to work as well on 3.5.0) - and that one shows me apps with Root rights get blocked despite being allowed in the list...
AfWall-Log-overview.png

AfWall-permissions.png


Thus, Wireguard does not get any connection (the Wireguard app itself is also allowed). Back to 3.4.0 it is... :confused:
 
Last edited:
  • Like
Reactions: shutdown-h_now
Aug 3, 2019
34
28
Berlin
I did not have the Linux Kernel permission set, so I tried again with 3.5.2.1 - but it does not help on my LOS17.1 phone. At least, I managed to get the log running (which did not seem to work as well on 3.5.0) - and that one shows me apps with Root rights get blocked despite being allowed in the list...


Thus, Wireguard does not get any connection. Back to 3.4.0 it is... :confused:

Maybe the apps with root rights got blocked because they tried to access the data connection before AFWall+ applied its rules. I have seen this behaviour sometimes before, also with LOS 14.1, 17.1 and 18.1. Most "block cases" here are unknown apps (1073) and Android System (1000).

I have almost exactly your configuration with one exception:
You have "[1029] Clat" enabled.
Could you explain what this is about?
 

FFW

Member
May 24, 2020
44
32
Maybe the apps with root rights got blocked because they tried to access the data connection before AFWall+ applied its rules. I have seen this behaviour sometimes before, also with LOS 14.1, 17.1 and 18.1. Most "block cases" here are unknown apps (1073) and Android System (1000).
Sadly no, I checked this by letting the phone run for a while like this (and then, by manually reapplying the rules)...
I have almost exactly your configuration with one exception:
You have "[1029] Clat" enabled.
Could you explain what this is about?
Basically an IPv4 to IPv6 translator (edit: "wrapper" might be amore correct term - at least as far as I understand it - I am not too deep into that thing /edit): https://dan.drown.org/android/clat/

Since my VPN is IPv4 only, I activated it - when I tried without, my apps did not always get web access. Might be depending on how your service provider works though.
 
  • Like
Reactions: shutdown-h_now
Aug 3, 2019
34
28
Berlin
Thanks for your explanation of "Clat"!
Just a last guess: How is your handling of IPv4 and IPv6 Chains?
I can't use IPv6, so I didn't enable it.

This is the setting of my Moto G Play phone and Samsung Galaxy Tab S2, both LOS 17.1:

Screenshot_20210617-185417_AFWall+.png
 
  • Like
Reactions: FFW

notNSA

Member
Jun 12, 2021
5
4
SEVERE SECURITY WARNING:
AFWALL default functionality might NOT (and probably for many will NOT) secure your Android phone.

EXPECTED BEHAVIOR:
A secure firewall must block incoming connections that are not initiated by the user.

ACTUAL BEHAVIOR:
a) using the latest version 3.5.2 and I discovered erratic behavior by the app when trying to run a custom script to set incoming packet policy to DROP and accept only related and established incoming connections. AFWall errored out when trying to set the rules.

b) depending on your ROM you might have INPUT chain rules that need to be vetted, which relies on custom scripting errors out. For example, a Samsung stock Rom on a 2020 device has "input_dos" chain rule within INPUT chain that explicitly allows ctstate "NEW" packets through. Must not happen in a secure firewall that only wants to accept established and related state incoming packets.

WORKAROUND:
What works for the time being as a workaround is:

a) set up AFWall focusing on app permissions which should cover the OUTPUT part of the firewall.

b) change the INPUT chain rules manually via terminal to drop incoming packets except for established/related connection state packets and remove rules that bypass this restriction.

------
This tight INPUT chain has nearly doubled my battery life (4000 mAh Li-Po from 10hrs to 20 hrs).
 
Last edited:

FFW

Member
May 24, 2020
44
32
Thanks for your explanation of "Clat"!
Just a last guess: How is your handling of IPv4 and IPv6 Chains?
I can't use IPv6, so I didn't enable it.

This is the setting of my Moto G Play phone and Samsung Galaxy Tab S2, both LOS 17.1:

View attachment 5340641
I have it active. Adjusting the setting what I see on your screenshot does not help as well though. It seems either my XZ1 Compact is in some way different - or my Wireguard VPN makes a difference ;-)

Well, I still hope from some ideas from @ukanth - either here or on his github site... but thanks for trying to help!

Edit: I found one difference between our settings though: If I set the "Input chain" setting to "blocked", Wireguard (and thus, anything else) does not get any web access on 3.4.0 as well. Might be logical since AFAIK Wireguard acts as a local "router interface". So this is a clear difference between your devices and mine.

Maybe there is some change between 3.4.0 and 3.5.x that causes this chain setting to break...?
 
Last edited:

eriol1

Senior Member
Feb 16, 2015
177
119
SEVERE SECURITY WARNING:
AFWALL default functionality might NOT (and probably for many will NOT) secure your Android phone.

EXPECTED BEHAVIOR:
A secure firewall must block incoming connections that are not initiated by the user.

ACTUAL BEHAVIOR:
a) using the latest version 3.5.2 and I discovered erratic behavior by the app when trying to run a custom script to set incoming packet policy to DROP and accept only related and established incoming connections. AFWall errored out when trying to set the rules.

b) depending on your ROM you might have INPUT chain rules that need to be vetted, which relies on custom scripting errors out. For example, a Samsung stock Rom on a 2020 device has "input_dos" chain rule within INPUT chain that explicitly allows ctstate "NEW" packets through. Must not happen in a secure firewall that only wants to accept established and related state incoming packets.

WORKAROUND:
What works for the time being as a workaround is:

a) set up AFWall focusing on app permissions which should cover the OUTPUT part of the firewall.

b) change the INPUT chain rules manually via terminal to drop incoming packets except for established/related connection state packets and remove rules that bypass this restriction.

------
This tight INPUT chain has nearly doubled my battery life (4000 mAh Li-Po from 10hrs to 20 hrs).
AFAIK, AFWall never claimed to block any incoming connections. The main purpose is to block unwanted outgoing connections.
Android itself maybe blocks some incoming connections? but android probably has a very different idea of what an unwanted connection is 😬

Nevertheless, thanks for the important info and nice effect on the battery (y)
 
Aug 3, 2019
34
28
Berlin
b) change the INPUT chain rules manually via terminal to drop incoming packets except for established/related connection state packets and remove rules that bypass this restriction.

My custom start-up script with DROP-policy for unwanted (not whitelisted) incoming traffic fortunately doesn't produce errors on v3.5.2.1.

Often after booting up the phone AFWall+ can't get root access despite Magisk is set to grant it always. AFWall+ then disables the firewall. I start it again, enable firewall and the script and rules get applied. A somehow peculiar behaviour ...

---
Edit: Also tried to work with timeouts before getting the rules applied. This doesn't help, either.
 
Last edited:

Tappad

Member
Nov 18, 2015
9
1
I had AFwall+, worked like a charm. Had to wipe my phone and I did export my rules etc but I can only import them on the pro version, which I cant afford atm. But I once found a guide to help me with which apps/functions to block but I cant seem to find it now.

So, any idea where I can find a guide describing what ex multicast is and what to block etc?
 

Kilito!!*-*

New member
Oct 14, 2020
1
0
Uh ... I need a little help



It's been a long time since I found that thing that says "AppID : -1"



My cell phone overheats because it tries to connect to the internet about 20,000 times every time I look at it, and this is the only application where there is any evidence of this so I wanted to know if you know what it is...



I've tried to find the application that causes this in many ways but can't find anything



Uh ... help
Screenshot_20210627-204754_AFWall+.jpg
 

PietZeHut

Member
Apr 29, 2021
10
0
Hi All,
my moto g7 power is unlocked, has LOS18 (lineage-18.1-20210724-nightly-ocean) installed and is using AFWall+.
Unfortunately AFWall is blocknig other devices to connect to my moto g7 power via wifi tethering.
Can anyone guide me how to configure AFWall to allow it?
Many thanks !
 

JohnC

Senior Member
May 5, 2007
510
100
Google Pixel 4a
I know this may sound like a newbie question, but I just want to understand how this app works.

From what I understand, it modifies the "IPTables" which I believe are config files that tell the internal network system how to route data packets.

So, if this app modifies the IPTables files to apply my rules, then why when I reboot my device, it displays "Applying Rules" again on boot up? Meaning, if the IPTables were modified when I last used this app, then I would think these IPTables files would remember their settings in-between boots, so there should be no reason to reapply them after a reboot. So why does this app need to reapply the same rules after a reboot?

Or is it that any changes to the IPTables are only valid for the current device session, and when the device gets rebooted, the iptables are cleared, and that is why this app needs to reapply them?

If this second theory is the case, then does that mean that apps (that I blocked in afall) will be able to reach the internet for the first ~30 seconds right when the device is booting up, but before afwall+ has the chance to reapply the rules?
 
  • Like
Reactions: TiTiB

Top Liked Posts

  • 1
    @JohnC

    I should clarify this a bit

    The magisk thread/quote explains what the two options are and how they work.

    The magisk guide refers to options when building a app.

    If the app itself is giving you the options then you can choose what ever you like.
    Understood. I am going to use the suggested choice, but understand that it could leave the firewall down for a few seconds when booting up.
  • 4
    Wow - so apps can get internet access for around a minute right after bootup (before afwall can apply the rules).
    yes they cld and thats all some apps need so as to send info home but the simplest way around that is to turn off mobile internet as well as wifi before reboot and wait about a minute after boot for the firewall to have started before reconnecting internet access :)
    3
    So, should we use post-fs-data mode, or is this too risky that it could lockup the device is something is wrong?
    At the moment i'm using the post-fs-data.d option. It may take a bit longer to start.
    While i do get errors occasionally, mainly with applying rules, it still blocks connection to apps. I don't think it's due the startup configuration ( check Github as other people have issues to ).
    My startup is also due to the other crap on my phone as well, and mainly needs time to settle down so to speak.
    Also looking back on this post not every has the same options. @Uluru25 has service.d option only, while i don't have his device but @EEngineer has completely different options.
    As to what option to use it will be up to you but the magisk guide does recommend using service.d option in most cases.

    2
    I know this may sound like a newbie question, but I just want to understand how this app works.

    From what I understand, it modifies the "IPTables" which I believe are config files that tell the internal network system how to route data packets.
    No it is not any config files...
    It is the name of the networking functionality of the kernel.
    It's rules are kept in memory and need to be reapplied after each boot.
    2
    I have two entries for that option - which one should I select?
    I'v got the same entries as well. It got me wondering what the two are.
    Came across this for the for the two options and what they mean.

    • post-fs-data mode
      • This stage is BLOCKING. The boot process is paused before execution is done, or 10 seconds have passed.
      • Scripts run before any modules are mounted. This allows a module developer to dynamically adjust their modules before it gets mounted.
      • This stage happens before Zygote is started, which pretty much means everything in Android
      • Run scripts in this mode only if necessary!
    • late_start service mode ( service.d )
      • This stage is NON-BLOCKING. Your script runs in parallel along with the booting process.
      • This is the recommended stage to run most scripts!
    This is taken from the Magisk guide

    1
    I know this may sound like a newbie question, but I just want to understand how this app works.

    From what I understand, it modifies the "IPTables" which I believe are config files that tell the internal network system how to route data packets.

    So, if this app modifies the IPTables files to apply my rules, then why when I reboot my device, it displays "Applying Rules" again on boot up? Meaning, if the IPTables were modified when I last used this app, then I would think these IPTables files would remember their settings in-between boots, so there should be no reason to reapply them after a reboot. So why does this app need to reapply the same rules after a reboot?

    Or is it that any changes to the IPTables are only valid for the current device session, and when the device gets rebooted, the iptables are cleared, and that is why this app needs to reapply them?

    If this second theory is the case, then does that mean that apps (that I blocked in afall) will be able to reach the internet for the first ~30 seconds right when the device is booting up, but before afwall+ has the chance to reapply the rules?
  • 384
    Welcome to official support page for AFWall+

    Disclaimer - As Usual. I'll not take any responsible if something goes wrong when using AFWall+

    Introduction
    AFWall+ is an improved version of DroidWall(front-end application for the powerful iptables Linux firewall). It allows you to restrict which applications are permitted to access your data networks (2G/3G/4G/LTE and/or Wi-Fi and while in roaming).Since the original author of Droidwall
    discontinued the project, I decided to keep the app instead of Avast Firewall. I'll continue to add more features as I can.


    Features
    - Supports 5.x to 11.x
    - Import/Export Rules to external storage
    - Search Applications
    - Multiple Profiles with custom names
    - Tasker/Locale support
    - Select All/None/Invert/Clear applications with single click
    - Revamped Rules/Logs Viewer with copy/export to external storage
    - Ability to view the network interfaces
    - Highlight system applications with custom color
    - Notify on new installations
    - Ability to hide application icons( faster loading )
    - Use LockPattern for application protection.
    - Show/Hide application ID.
    - Roaming Control for 3G/Edge
    - VPN Control
    - LAN Control
    - Tether Control
    - IPV6 Control
    - Tor Control
    - Choose able languages
    - Choose able iptables/busybox binary
    - Supports MIPS/x86/ARM
    - DNS Hostname

    Changelog - See third Post
    Current Version - 3.5.2

    To get Unlocker without Google services - Please follow the instructions here

    AFWall+ BETA Program
    1) AFWall+ opt-in for beta program
    2) Install AFWall+ and If you have any issues, just send email from (Menu -> Firewall Rules - > Send error report)

    Source Code/Wiki/FAQ
    AFWall+ is an free & opensource application
    Github
    Log an issue
    Frequently Asked Questions
    Many Thanks to @CHEF-KOCH

    Translations
    Translations - Please help me with translations in your language.
    http://crowdin.net/project/afwall

    Thanks To/Credits
    - German translations by [email protected] & [email protected] & [email protected]
    - French translations by [email protected] & [email protected]
    - Russian translations by [email protected] & YaroslavKa78
    - Spanish translations by [email protected]
    - Dutch translations by [email protected]
    - Japanese translation by [email protected]
    - Ukrainian translation by [email protected]
    - Slovenian translation by bunga [email protected]
    - Chinese Simplified translation by [email protected]
    - Polish translations by tst,Piotr [email protected]
    - Swedish translations by [email protected]
    - Greek Translations by [email protected]
    - Portuguese translations by [email protected]
    - Chinese Traditional by [email protected]
    - Chinese Simplified by wuwufei,tianchaoren @ crowdin
    - Italian translations by [email protected]
    - Romanian tranlations by [email protected]
    - Czech translations by Syk3s

    Cheers,
    ukanth

    XDA:DevDB Information
    AFWall+ [ IPTables Firewall ], App for the Android General

    Contributors
    ukanth
    Source Code: https://github.com/ukanth/afwall


    Version Information
    Status:
    Stable
    Current Stable Version: 3.4.0
    Stable Release Date: 2020-02-09
    Current Beta Version: 3.5.0-BETA1
    Beta Release Date: 2020-09-05

    Created 2013-12-03
    Last Updated 2020-09-05
    70
    Version 3.0.1

    * Fix: Status toggle widget 1x1
    * Fix: Ability to hide ongoing notification (Stop firewall and restart to hide after disable it in preferences)
    * Fix: Firewall error notification on oreo and above
    * Security: Tile toggle checks for password
    * User reported crashes
    * Updated translations

    Previous version 3.0.0

    Features:
    * Better support for nougat/oreo and pie.
    * Firewall toggle tile
    * Adaptive Icons
    * Notification channels
    * Tor support

    Bugs:
    * General bug fixes and crash reports.
    * Language selection bug
    * Filter selection bug
    * Compatible with magisk 17.x
    * Better handling of background process
    * Drops support for 4.x devices
    * Update languages
    * Updated libraries

    Complete Changelog

    41
    Hello All,

    After careful analysis and testing, I decided not to rewrite the way rules are being applied due to lot of under hood changes required. Instead added few enhancements. Now applying rules from menu will show how many rules are getting applied with progress status. Also when adding/removing few rules , it will apply only those related rules instead of full apply.

    Also fixed couple of bugs and enhancements. You can get the full changelog from https://github.com/ukanth/afwall/blob/beta/Changelog.md

    This is BETA Version which is not released on playstore. I have been using this for past week and it's stable. But there might be bugs which I haven't encountered. Please test it and report it in case of any issues.

    Also I have been following XPrivacy thread on the decision by it's author. Just as FYI, I might fix it for my own usage when I update to nougat, I will share it here if anybody uses it here.

    BETA Link - https://www.dropbox.com/s/isvi413qyx6vb4d/AFWall+ 2.9.7-BETA-TESTER.apk?dl=0
    40
    Hello everyone,

    I have released 3.0.0 stable on playstore today. It's been a crazy month so far. After going through lot of dilemma of whether to support the existing afwall or write a new one from scratch, finally able to pull myself and release stable version of afwall with lots of bug fixes and new features along with pie support. Since I don't do full time Android development, it was hard to keep track of what's going on with sdk level changes.

    Thank you all for your support in AFWall+ development. Without your support it would simply not possible to pull through this.

    I will be out for couple of days ( taking off to spend time with my family ) and hopefully will be able to reply to questions once back.

    Thanks again and have a great day.
    35
    Hello everyone,

    I have released stable version of 3.1.0 to playstore and github. Its live on playstore. You can find the changelog along with md5/sha here

    https://github.com/ukanth/afwall/releases/tag/v3.1.0

    Thank you all for your continuous support in AFWall+ development.