• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[5.0+][ROOT][3.5.2] AFWall+ IPTables Firewall [16 May 2021]

Search This thread

IronTechmonkey

Recognized Contributor
Feb 12, 2013
8,009
11,775
I did a search for "tether hide" and really didn't come up with anything.

So, is there a way to configure AFWall+ so that tethering on AT&T networks won't count towards the "HotSpot" limit?

Is it a reasonable expectation of a Firewall to help circumvent service provider or device limits on Hotspot usage? Are there any examples of a Firewall that does that? I'm not challenging your request nor am I defending AT&T (LOL, AT&T is the reason I use T-Mobile), I've just never heard of such a thing.
 

JohnC

Senior Member
May 5, 2007
573
118
Amazon Fire TV
Google Pixel 4a
Is it a reasonable expectation of a Firewall to help circumvent service provider or device limits on Hotspot usage? Are there any examples of a Firewall that does that? I'm not challenging your request nor am I defending AT&T (LOL, AT&T is the reason I use T-Mobile), I've just never heard of such a thing.
There are two modules that AFwall lists that seem to be related to Tethering:

-Tether Entitlement
- (tethering) DHCP+DNS services

And there are three different paths for each module that AFWall can grant/block access:

- LAN
- Wifi
- Mobile Data

So I was hoping that maybe someone might have figured out a combination of settings for those modules and pathways that would be a hack to hide it.
 

IronTechmonkey

Recognized Contributor
Feb 12, 2013
8,009
11,775
There are two modules that AFwall lists that seem to be related to Tethering:

-Tether Entitlement
- (tethering) DHCP+DNS services

And there are three different paths for each module that AFWall can grant/block access:

- LAN
- Wifi
- Mobile Data

So I was hoping that maybe someone might have figured out a combination of settings for those modules and pathways that would be a hack to hide it.

I would expect that those modules have something to do with issues with tethering such as an unknown app /service being blocked therefore requiring firewall be disabled in order to tether, eg the modules might be required to help tethering function at all. I could be wrong and there are more knowledgeable people here that might be able to speak to this but I don't think a hack to circumvent service provider limits would go over well at Playstore. No moral judgement, I just think it might not be worth the risk for an app to allow that. Let's see what others and the developer have to say.
 

JohnC

Senior Member
May 5, 2007
573
118
Amazon Fire TV
Google Pixel 4a
I would expect that those modules have something to do with issues with tethering such as an unknown app /service being blocked therefore requiring firewall be disabled in order to tether, eg the modules might be required to help tethering function at all. I could be wrong and there are more knowledgeable people here that might be able to speak to this but I don't think a hack to circumvent service provider limits would go over well at Playstore. No moral judgement, I just think it might not be worth the risk for an app to allow that. Let's see what others and the developer have to say.
I totally understand what you are saying.

I would think it shouldn't be much of a risk because the NetShare app allows tether limit circumvention and it is still in the playstore with 1M+ downloads.
 
  • Like
Reactions: IronTechmonkey

TiTiB

Senior Member
Jun 19, 2015
890
666
Earth, for now
Afwall Xposed module, what is it exactly for? If I use LSPosed, to what apps should I appy this module?
@ukanth statement here might be of useto you. No timeline, but...
 
  • Like
Reactions: ukanth and ravts

starbright_

Senior Member
Apr 11, 2010
1,340
223
I have a very confusing situation while using AFWall when I am connected via VPN.
Til now I have 3 selections: LAN, WiFi, mobile data.
I have seen there is a additional VPN selection possible. Do I really have to use it when I am in a VPN connection? Imho best would be to use same rules as original connection (despite VPN) - so mobile data or WiFi, depending on what is the connection to my VPN server (my Router at home).
Other way asked: If I not enable the VPN rules to be shown - what setting is actual valid? And - if this is once set and disabled to display - does the previous setting is valid?

I could extend this question to LAN: I think if not enable to be shown it uses same rules as Wifi. Am I right?
 

markfm

Senior Member
Mar 27, 2013
492
166
At least a fair number of carriers appear to monitor for tethering use based on TTL, which requires something beyond simply blocking a tethering provisioning check.
 

starbright_

Senior Member
Apr 11, 2010
1,340
223
I have a very confusing situation while using AFWall when I am connected via VPN.
Til now I have 3 selections: LAN, WiFi, mobile data.
I have seen there is a additional VPN selection possible. Do I really have to use it when I am in a VPN connection? Imho best would be to use same rules as original connection (despite VPN) - so mobile data or WiFi, depending on what is the connection to my VPN server (my Router at home).
Other way asked: If I not enable the VPN rules to be shown - what setting is actual valid? And - if this is once set and disabled to display - does the previous setting is valid?

I could extend this question to LAN: I think if not enable to be shown it uses same rules as Wifi. Am I right?
No one use AFwall with VPN and can share experience?
 

x-pve

Member
Aug 30, 2020
20
11
Prague
It depends :), why do you use VPN and how routing table is configured and what do you want to reach.
Do you want to access your home computer? Do you want access internet from your mobile device via your home router? Which VPN software do you use and what is your goal? I use VPN, bit can't aswer your question yet. Describe more your situation.
 

starbright_

Senior Member
Apr 11, 2010
1,340
223
It depends :), why do you use VPN and how routing table is configured and what do you want to reach.
Do you want to access your home computer? Do you want access internet from your mobile device via your home router? Which VPN software do you use and what is your goal? I use VPN, bit can't aswer your question yet. Describe more your situation.
I am using the build-in VPN with IPsec XAUTH PSK to communicate with my FritzBox Modem/Router. In fact I just want to access all services as I would be at home, especially my mediathek and live TV apps (Zapp, MTCast, ZDF mediathek ....).
And I do have the AFWall. Without that it seems I don't have problems. But with active AFWall it is strange.
As stated before I use for rules LAN, WIFI and 4G. LAN only for apps that should be controlled inside my network (as Heater, who don't have to access to outer world).
For a comparison I set my terminal so that I can ping the address and than used same setting for my TV app. But that doesn't work.
First and most important question: Do I need the VPN setting in AFWall if I don't want other rules than lets say WIFI?
What happens If I once set rules in VPN setting and disabled that again? Does the rules keep active and will just not displayed?
 

temporarium

Senior Member
I am using the build-in VPN with IPsec XAUTH PSK to communicate with my FritzBox Modem/Router. In fact I just want to access all services as I would be at home, especially my mediathek and live TV apps (Zapp, MTCast, ZDF mediathek ....).
And I do have the AFWall. Without that it seems I don't have problems. But with active AFWall it is strange.
As stated before I use for rules LAN, WIFI and 4G. LAN only for apps that should be controlled inside my network (as Heater, who don't have to access to outer world).
For a comparison I set my terminal so that I can ping the address and than used same setting for my TV app. But that doesn't work.
First and most important question: Do I need the VPN setting in AFWall if I don't want other rules than lets say WIFI?
What happens If I once set rules in VPN setting and disabled that again? Does the rules keep active and will just not displayed?
As far as I'm aware, in Android VPN is global. So once you establish a VPN connection, everything has to go through it.

In AFWall+, you need to enable your VPN app for wifi or mobile access, and you need to enable the apps for VPN access that you want to be able to connect through the tunnel, regardless of how the tunnel is connected.
 

haitower

Senior Member
Jun 27, 2017
58
3
I have 2 questions:
  1. If I want the donation version without google play, the developer states: "Please drop me an mail to (contact @ portgenix.com ) after your donation to get the unlocker APK (closed source for now) with details." But if I don't download it via an app store, how does the app get updated then?
  2. I want to forbid outbound traffic from a certain app. Is it possible to do this for just ONE app? Obviously if you forbid outbound traffic in the "Preferences -> Rules/Connectivity" section, it gets forbidden for ALL apps.
 

sabei

Senior Member
Jul 9, 2020
65
16
I want to forbid outbound traffic from a certain app. Is it possible to do this for just ONE app?
For me the whole point of the app is to control the individual items that are allowed to connect.

You have an allow selected or block selected setting which of course make no difference if you don't allow outgoing connections.
I have only 5 items in total allowed and could easily remove one of those.
 

haitower

Senior Member
Jun 27, 2017
58
3
For me the whole point of the app is to control the individual items that are allowed to connect.

You have an allow selected or block selected setting which of course make no difference if you don't allow outgoing connections.
I have only 5 items in total allowed and could easily remove one of those.
Sorry, I totally do not understand what you want to tell me. Could you explain it another way?

Is it now possible to allow/block inbound/outbound connections per app or not?

By "items", do you mean other apps?

I want to block outbound connections (unwanted tracking my data) from certain apps (e.g. Weather app) but allow inbound (weather data).
 
Aug 3, 2019
36
29
Berlin
If the developer sends me the apk, I guess I can't update it via f-droid, right?
Then I would have to manually check for updates because there is no auto update checker/reminder?
No, these are two different apks.
You can install the main apk from F-Droid and get it updated from there. For the paid version you receive a second apk (AFWall+ Unlock Key) from the developer which turns your installed apk into the donation version.
 
  • Like
Reactions: haitower

Uluru25

Senior Member
Nov 27, 2016
159
58
Samsung Galaxy A6
Redmi Note 8
Sorry, I totally do not understand what you want to tell me. Could you explain it another way?

Is it now possible to allow/block inbound/outbound connections per app or not?

By "items", do you mean other apps?

I want to block outbound connections (unwanted tracking my data) from certain apps (e.g. Weather app) but allow inbound (weather data).
Ever thought to use XPrivacyLua to achieve this privacy saving?
 

haitower

Senior Member
Jun 27, 2017
58
3
Ever thought to use XPrivacyLua to achieve this privacy saving?
Yes, I even already installed LSPosed and was ready to go for XPrivacyLUA (I have used the old XPrivacy before) when I read this from the GrapheneOS lead developer:

xPrivacyLua is selfexplaining
It's not self-explaining, and see below for why you probably don't want this. You do probably want the ability to force apps to see fake data, but this doesn't do that. It's a client-side check inserted into the app that the app can bypass (even unintentionally, by using a different client-side implementation) or disable.

You should try to look for a rootless solution of your needs xprivacylua: virtualxposed (latest version from github) can be used to isolate apps and apply xprivacy rules to them.
It does not provide any isolation and cannot fundamentally improve privacy / security because it's based on client side checks, which is not a working approach. It relies on apps not accessing the data via other approaches or alternate implementations of the client-side code, which isn't uncommon. Apps can also detect it and simply work around it directly. This will only give you a false sense of privacy / security. Apps will likely use the fake data for their user-facing functionality, making you think that it works, but a tracking SDK bundled with the app can easily bypass this and harvest your data if you allow the permissions via the OS. This is harmful approach...
Source: Reddit

Now I'm in doubt if there is any sense in using it.. :/
 

Top Liked Posts

  • There are no posts matching your filters.
  • 3
    I am using the build-in VPN with IPsec XAUTH PSK to communicate with my FritzBox Modem/Router. In fact I just want to access all services as I would be at home, especially my mediathek and live TV apps (Zapp, MTCast, ZDF mediathek ....).
    And I do have the AFWall. Without that it seems I don't have problems. But with active AFWall it is strange.
    As stated before I use for rules LAN, WIFI and 4G. LAN only for apps that should be controlled inside my network (as Heater, who don't have to access to outer world).
    For a comparison I set my terminal so that I can ping the address and than used same setting for my TV app. But that doesn't work.
    First and most important question: Do I need the VPN setting in AFWall if I don't want other rules than lets say WIFI?
    What happens If I once set rules in VPN setting and disabled that again? Does the rules keep active and will just not displayed?
    As far as I'm aware, in Android VPN is global. So once you establish a VPN connection, everything has to go through it.

    In AFWall+, you need to enable your VPN app for wifi or mobile access, and you need to enable the apps for VPN access that you want to be able to connect through the tunnel, regardless of how the tunnel is connected.
    3
    Sorry, I totally do not understand what you want to tell me. Could you explain it another way?

    Is it now possible to allow/block inbound/outbound connections per app or not?

    By "items", do you mean other apps?

    I want to block outbound connections (unwanted tracking my data) from certain apps (e.g. Weather app) but allow inbound (weather data).
    What you want doesn't exactly work the way you think.

    A weather app (for example) that receives weather data from the internet doesn't just leave an open port waiting for an inbound connection with weather data. The weather data server would have no way of knowing the app is waiting for the data, and no way of knowing where to send it.
    The way it usually works is that the app either subscribes with the server first or simply polls the server for data at defined intervals. Both methods require that an outbound connection from the app to the server be established before data is received.

    AFWall is designed to block outbound connections only.

    When you block an app in afwall (either by leaving the app unselected in whitelist/allow selected mode, or by having the app selected in blacklist/block selected mode), the result is that the app is unable to establish an outbound connection, which in most cases means that there is also no way for an outside entity to know where the app may be listening for an inbound connection, so no inbound connection will occur. (this of course does not protect you from an attacker enumerating open ports on your device and exploiting a vulnerable app with an open port).

    Note that android os itself (depending on rom and version) may have it's own protections against unauthorized inbound and/or outbound connections, regardless of afwall installation.
    2
    Afwall Xposed module, what is it exactly for? If I use LSPosed, to what apps should I appy this module?
    @ukanth statement here might be of useto you. No timeline, but...
    2
    It depends :), why do you use VPN and how routing table is configured and what do you want to reach.
    Do you want to access your home computer? Do you want access internet from your mobile device via your home router? Which VPN software do you use and what is your goal? I use VPN, bit can't aswer your question yet. Describe more your situation.
    1
    If the developer sends me the apk, I guess I can't update it via f-droid, right?
    Then I would have to manually check for updates because there is no auto update checker/reminder?
    No, these are two different apks.
    You can install the main apk from F-Droid and get it updated from there. For the paid version you receive a second apk (AFWall+ Unlock Key) from the developer which turns your installed apk into the donation version.
  • 386
    Welcome to official support page for AFWall+

    Disclaimer - As Usual. I'll not take any responsible if something goes wrong when using AFWall+

    Introduction
    AFWall+ is an improved version of DroidWall(front-end application for the powerful iptables Linux firewall). It allows you to restrict which applications are permitted to access your data networks (2G/3G/4G/LTE and/or Wi-Fi and while in roaming).Since the original author of Droidwall
    discontinued the project, I decided to keep the app instead of Avast Firewall. I'll continue to add more features as I can.


    Features
    - Supports 5.x to 11.x
    - Import/Export Rules to external storage
    - Search Applications
    - Multiple Profiles with custom names
    - Tasker/Locale support
    - Select All/None/Invert/Clear applications with single click
    - Revamped Rules/Logs Viewer with copy/export to external storage
    - Ability to view the network interfaces
    - Highlight system applications with custom color
    - Notify on new installations
    - Ability to hide application icons( faster loading )
    - Use LockPattern for application protection.
    - Show/Hide application ID.
    - Roaming Control for 3G/Edge
    - VPN Control
    - LAN Control
    - Tether Control
    - IPV6 Control
    - Tor Control
    - Choose able languages
    - Choose able iptables/busybox binary
    - Supports MIPS/x86/ARM
    - DNS Hostname

    Changelog - See third Post
    Current Version - 3.5.2

    To get Unlocker without Google services - Please follow the instructions here

    AFWall+ BETA Program
    1) AFWall+ opt-in for beta program
    2) Install AFWall+ and If you have any issues, just send email from (Menu -> Firewall Rules - > Send error report)

    Source Code/Wiki/FAQ
    AFWall+ is an free & opensource application
    Github
    Log an issue
    Frequently Asked Questions
    Many Thanks to @CHEF-KOCH

    Translations
    Translations - Please help me with translations in your language.
    http://crowdin.net/project/afwall

    Thanks To/Credits
    - German translations by [email protected] & [email protected] & [email protected]
    - French translations by [email protected] & [email protected]
    - Russian translations by [email protected] & YaroslavKa78
    - Spanish translations by [email protected]
    - Dutch translations by [email protected]
    - Japanese translation by [email protected]
    - Ukrainian translation by [email protected]
    - Slovenian translation by bunga [email protected]
    - Chinese Simplified translation by [email protected]
    - Polish translations by tst,Piotr [email protected]
    - Swedish translations by [email protected]
    - Greek Translations by [email protected]
    - Portuguese translations by [email protected]
    - Chinese Traditional by [email protected]
    - Chinese Simplified by wuwufei,tianchaoren @ crowdin
    - Italian translations by [email protected]
    - Romanian tranlations by [email protected]
    - Czech translations by Syk3s

    Cheers,
    ukanth

    XDA:DevDB Information
    AFWall+ [ IPTables Firewall ], App for the Android General

    Contributors
    ukanth
    Source Code: https://github.com/ukanth/afwall


    Version Information
    Status:
    Stable
    Current Stable Version: 3.4.0
    Stable Release Date: 2020-02-09
    Current Beta Version: 3.5.0-BETA1
    Beta Release Date: 2020-09-05

    Created 2013-12-03
    Last Updated 2020-09-05
    70
    Version 3.0.1

    * Fix: Status toggle widget 1x1
    * Fix: Ability to hide ongoing notification (Stop firewall and restart to hide after disable it in preferences)
    * Fix: Firewall error notification on oreo and above
    * Security: Tile toggle checks for password
    * User reported crashes
    * Updated translations

    Previous version 3.0.0

    Features:
    * Better support for nougat/oreo and pie.
    * Firewall toggle tile
    * Adaptive Icons
    * Notification channels
    * Tor support

    Bugs:
    * General bug fixes and crash reports.
    * Language selection bug
    * Filter selection bug
    * Compatible with magisk 17.x
    * Better handling of background process
    * Drops support for 4.x devices
    * Update languages
    * Updated libraries

    Complete Changelog

    41
    Hello All,

    After careful analysis and testing, I decided not to rewrite the way rules are being applied due to lot of under hood changes required. Instead added few enhancements. Now applying rules from menu will show how many rules are getting applied with progress status. Also when adding/removing few rules , it will apply only those related rules instead of full apply.

    Also fixed couple of bugs and enhancements. You can get the full changelog from https://github.com/ukanth/afwall/blob/beta/Changelog.md

    This is BETA Version which is not released on playstore. I have been using this for past week and it's stable. But there might be bugs which I haven't encountered. Please test it and report it in case of any issues.

    Also I have been following XPrivacy thread on the decision by it's author. Just as FYI, I might fix it for my own usage when I update to nougat, I will share it here if anybody uses it here.

    BETA Link - https://www.dropbox.com/s/isvi413qyx6vb4d/AFWall+ 2.9.7-BETA-TESTER.apk?dl=0
    40
    Hello everyone,

    I have released 3.0.0 stable on playstore today. It's been a crazy month so far. After going through lot of dilemma of whether to support the existing afwall or write a new one from scratch, finally able to pull myself and release stable version of afwall with lots of bug fixes and new features along with pie support. Since I don't do full time Android development, it was hard to keep track of what's going on with sdk level changes.

    Thank you all for your support in AFWall+ development. Without your support it would simply not possible to pull through this.

    I will be out for couple of days ( taking off to spend time with my family ) and hopefully will be able to reply to questions once back.

    Thanks again and have a great day.
    35
    Hello everyone,

    I have released stable version of 3.1.0 to playstore and github. Its live on playstore. You can find the changelog along with md5/sha here

    https://github.com/ukanth/afwall/releases/tag/v3.1.0

    Thank you all for your continuous support in AFWall+ development.