• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[5.0+][ROOT][3.5.2] AFWall+ IPTables Firewall [16 May 2021]

Search This thread

IronTechmonkey

Recognized Contributor
Feb 12, 2013
8,260
12,621
I did a search for "tether hide" and really didn't come up with anything.

So, is there a way to configure AFWall+ so that tethering on AT&T networks won't count towards the "HotSpot" limit?

Is it a reasonable expectation of a Firewall to help circumvent service provider or device limits on Hotspot usage? Are there any examples of a Firewall that does that? I'm not challenging your request nor am I defending AT&T (LOL, AT&T is the reason I use T-Mobile), I've just never heard of such a thing.
 
  • Haha
Reactions: Tom Mix

JohnC

Senior Member
May 5, 2007
606
130
Amazon Fire TV
Google Pixel 4a
Is it a reasonable expectation of a Firewall to help circumvent service provider or device limits on Hotspot usage? Are there any examples of a Firewall that does that? I'm not challenging your request nor am I defending AT&T (LOL, AT&T is the reason I use T-Mobile), I've just never heard of such a thing.
There are two modules that AFwall lists that seem to be related to Tethering:

-Tether Entitlement
- (tethering) DHCP+DNS services

And there are three different paths for each module that AFWall can grant/block access:

- LAN
- Wifi
- Mobile Data

So I was hoping that maybe someone might have figured out a combination of settings for those modules and pathways that would be a hack to hide it.
 
  • Angry
Reactions: Tom Mix

IronTechmonkey

Recognized Contributor
Feb 12, 2013
8,260
12,621
There are two modules that AFwall lists that seem to be related to Tethering:

-Tether Entitlement
- (tethering) DHCP+DNS services

And there are three different paths for each module that AFWall can grant/block access:

- LAN
- Wifi
- Mobile Data

So I was hoping that maybe someone might have figured out a combination of settings for those modules and pathways that would be a hack to hide it.

I would expect that those modules have something to do with issues with tethering such as an unknown app /service being blocked therefore requiring firewall be disabled in order to tether, eg the modules might be required to help tethering function at all. I could be wrong and there are more knowledgeable people here that might be able to speak to this but I don't think a hack to circumvent service provider limits would go over well at Playstore. No moral judgement, I just think it might not be worth the risk for an app to allow that. Let's see what others and the developer have to say.
 

JohnC

Senior Member
May 5, 2007
606
130
Amazon Fire TV
Google Pixel 4a
I would expect that those modules have something to do with issues with tethering such as an unknown app /service being blocked therefore requiring firewall be disabled in order to tether, eg the modules might be required to help tethering function at all. I could be wrong and there are more knowledgeable people here that might be able to speak to this but I don't think a hack to circumvent service provider limits would go over well at Playstore. No moral judgement, I just think it might not be worth the risk for an app to allow that. Let's see what others and the developer have to say.
I totally understand what you are saying.

I would think it shouldn't be much of a risk because the NetShare app allows tether limit circumvention and it is still in the playstore with 1M+ downloads.
 
  • Like
Reactions: IronTechmonkey

ravts

Member
Sep 21, 2021
11
2
Afwall Xposed module, what is it exactly for? If I use LSPosed, to what apps should I appy this module?
 

TiTiB

Senior Member
Jun 19, 2015
904
685
Earth, for now
Afwall Xposed module, what is it exactly for? If I use LSPosed, to what apps should I appy this module?
@ukanth statement here might be of useto you. No timeline, but...
 
  • Like
Reactions: ukanth and ravts

starbright_

Senior Member
Apr 11, 2010
1,359
224
I have a very confusing situation while using AFWall when I am connected via VPN.
Til now I have 3 selections: LAN, WiFi, mobile data.
I have seen there is a additional VPN selection possible. Do I really have to use it when I am in a VPN connection? Imho best would be to use same rules as original connection (despite VPN) - so mobile data or WiFi, depending on what is the connection to my VPN server (my Router at home).
Other way asked: If I not enable the VPN rules to be shown - what setting is actual valid? And - if this is once set and disabled to display - does the previous setting is valid?

I could extend this question to LAN: I think if not enable to be shown it uses same rules as Wifi. Am I right?
 

markfm

Senior Member
Mar 27, 2013
501
171
At least a fair number of carriers appear to monitor for tethering use based on TTL, which requires something beyond simply blocking a tethering provisioning check.
 
  • Like
Reactions: Tom Mix

starbright_

Senior Member
Apr 11, 2010
1,359
224
I have a very confusing situation while using AFWall when I am connected via VPN.
Til now I have 3 selections: LAN, WiFi, mobile data.
I have seen there is a additional VPN selection possible. Do I really have to use it when I am in a VPN connection? Imho best would be to use same rules as original connection (despite VPN) - so mobile data or WiFi, depending on what is the connection to my VPN server (my Router at home).
Other way asked: If I not enable the VPN rules to be shown - what setting is actual valid? And - if this is once set and disabled to display - does the previous setting is valid?

I could extend this question to LAN: I think if not enable to be shown it uses same rules as Wifi. Am I right?
No one use AFwall with VPN and can share experience?
 

x-pve

Member
Aug 30, 2020
20
11
Prague
It depends :), why do you use VPN and how routing table is configured and what do you want to reach.
Do you want to access your home computer? Do you want access internet from your mobile device via your home router? Which VPN software do you use and what is your goal? I use VPN, bit can't aswer your question yet. Describe more your situation.
 

starbright_

Senior Member
Apr 11, 2010
1,359
224
It depends :), why do you use VPN and how routing table is configured and what do you want to reach.
Do you want to access your home computer? Do you want access internet from your mobile device via your home router? Which VPN software do you use and what is your goal? I use VPN, bit can't aswer your question yet. Describe more your situation.
I am using the build-in VPN with IPsec XAUTH PSK to communicate with my FritzBox Modem/Router. In fact I just want to access all services as I would be at home, especially my mediathek and live TV apps (Zapp, MTCast, ZDF mediathek ....).
And I do have the AFWall. Without that it seems I don't have problems. But with active AFWall it is strange.
As stated before I use for rules LAN, WIFI and 4G. LAN only for apps that should be controlled inside my network (as Heater, who don't have to access to outer world).
For a comparison I set my terminal so that I can ping the address and than used same setting for my TV app. But that doesn't work.
First and most important question: Do I need the VPN setting in AFWall if I don't want other rules than lets say WIFI?
What happens If I once set rules in VPN setting and disabled that again? Does the rules keep active and will just not displayed?
 

temporarium

Senior Member
I am using the build-in VPN with IPsec XAUTH PSK to communicate with my FritzBox Modem/Router. In fact I just want to access all services as I would be at home, especially my mediathek and live TV apps (Zapp, MTCast, ZDF mediathek ....).
And I do have the AFWall. Without that it seems I don't have problems. But with active AFWall it is strange.
As stated before I use for rules LAN, WIFI and 4G. LAN only for apps that should be controlled inside my network (as Heater, who don't have to access to outer world).
For a comparison I set my terminal so that I can ping the address and than used same setting for my TV app. But that doesn't work.
First and most important question: Do I need the VPN setting in AFWall if I don't want other rules than lets say WIFI?
What happens If I once set rules in VPN setting and disabled that again? Does the rules keep active and will just not displayed?
As far as I'm aware, in Android VPN is global. So once you establish a VPN connection, everything has to go through it.

In AFWall+, you need to enable your VPN app for wifi or mobile access, and you need to enable the apps for VPN access that you want to be able to connect through the tunnel, regardless of how the tunnel is connected.
 

haitower

Senior Member
Jun 27, 2017
66
9
I have 2 questions:
  1. If I want the donation version without google play, the developer states: "Please drop me an mail to (contact @ portgenix.com ) after your donation to get the unlocker APK (closed source for now) with details." But if I don't download it via an app store, how does the app get updated then?
  2. I want to forbid outbound traffic from a certain app. Is it possible to do this for just ONE app? Obviously if you forbid outbound traffic in the "Preferences -> Rules/Connectivity" section, it gets forbidden for ALL apps.
 

sabei

Senior Member
Jul 9, 2020
65
16
I want to forbid outbound traffic from a certain app. Is it possible to do this for just ONE app?
For me the whole point of the app is to control the individual items that are allowed to connect.

You have an allow selected or block selected setting which of course make no difference if you don't allow outgoing connections.
I have only 5 items in total allowed and could easily remove one of those.
 

haitower

Senior Member
Jun 27, 2017
66
9
For me the whole point of the app is to control the individual items that are allowed to connect.

You have an allow selected or block selected setting which of course make no difference if you don't allow outgoing connections.
I have only 5 items in total allowed and could easily remove one of those.
Sorry, I totally do not understand what you want to tell me. Could you explain it another way?

Is it now possible to allow/block inbound/outbound connections per app or not?

By "items", do you mean other apps?

I want to block outbound connections (unwanted tracking my data) from certain apps (e.g. Weather app) but allow inbound (weather data).
 
Aug 3, 2019
41
31
Berlin
If the developer sends me the apk, I guess I can't update it via f-droid, right?
Then I would have to manually check for updates because there is no auto update checker/reminder?
No, these are two different apks.
You can install the main apk from F-Droid and get it updated from there. For the paid version you receive a second apk (AFWall+ Unlock Key) from the developer which turns your installed apk into the donation version.
 
  • Like
Reactions: haitower

Uluru25

Senior Member
Nov 27, 2016
199
72
Samsung Galaxy S7
Samsung Galaxy A6
Sorry, I totally do not understand what you want to tell me. Could you explain it another way?

Is it now possible to allow/block inbound/outbound connections per app or not?

By "items", do you mean other apps?

I want to block outbound connections (unwanted tracking my data) from certain apps (e.g. Weather app) but allow inbound (weather data).
Ever thought to use XPrivacyLua to achieve this privacy saving?
 

haitower

Senior Member
Jun 27, 2017
66
9
Ever thought to use XPrivacyLua to achieve this privacy saving?
Yes, I even already installed LSPosed and was ready to go for XPrivacyLUA (I have used the old XPrivacy before) when I read this from the GrapheneOS lead developer:

xPrivacyLua is selfexplaining
It's not self-explaining, and see below for why you probably don't want this. You do probably want the ability to force apps to see fake data, but this doesn't do that. It's a client-side check inserted into the app that the app can bypass (even unintentionally, by using a different client-side implementation) or disable.

You should try to look for a rootless solution of your needs xprivacylua: virtualxposed (latest version from github) can be used to isolate apps and apply xprivacy rules to them.
It does not provide any isolation and cannot fundamentally improve privacy / security because it's based on client side checks, which is not a working approach. It relies on apps not accessing the data via other approaches or alternate implementations of the client-side code, which isn't uncommon. Apps can also detect it and simply work around it directly. This will only give you a false sense of privacy / security. Apps will likely use the fake data for their user-facing functionality, making you think that it works, but a tracking SDK bundled with the app can easily bypass this and harvest your data if you allow the permissions via the OS. This is harmful approach...
Source: Reddit

Now I'm in doubt if there is any sense in using it.. :/
 

Top Liked Posts