• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[5.0+][ROOT][3.5.2] AFWall+ IPTables Firewall [16 May 2021]

Search This thread

IronTechmonkey

Recognized Contributor
Feb 12, 2013
8,138
12,252
I did a search for "tether hide" and really didn't come up with anything.

So, is there a way to configure AFWall+ so that tethering on AT&T networks won't count towards the "HotSpot" limit?

Is it a reasonable expectation of a Firewall to help circumvent service provider or device limits on Hotspot usage? Are there any examples of a Firewall that does that? I'm not challenging your request nor am I defending AT&T (LOL, AT&T is the reason I use T-Mobile), I've just never heard of such a thing.
 
  • Haha
Reactions: Tom Mix

JohnC

Senior Member
May 5, 2007
592
122
Amazon Fire TV
Google Pixel 4a
Is it a reasonable expectation of a Firewall to help circumvent service provider or device limits on Hotspot usage? Are there any examples of a Firewall that does that? I'm not challenging your request nor am I defending AT&T (LOL, AT&T is the reason I use T-Mobile), I've just never heard of such a thing.
There are two modules that AFwall lists that seem to be related to Tethering:

-Tether Entitlement
- (tethering) DHCP+DNS services

And there are three different paths for each module that AFWall can grant/block access:

- LAN
- Wifi
- Mobile Data

So I was hoping that maybe someone might have figured out a combination of settings for those modules and pathways that would be a hack to hide it.
 
  • Angry
Reactions: Tom Mix

IronTechmonkey

Recognized Contributor
Feb 12, 2013
8,138
12,252
There are two modules that AFwall lists that seem to be related to Tethering:

-Tether Entitlement
- (tethering) DHCP+DNS services

And there are three different paths for each module that AFWall can grant/block access:

- LAN
- Wifi
- Mobile Data

So I was hoping that maybe someone might have figured out a combination of settings for those modules and pathways that would be a hack to hide it.

I would expect that those modules have something to do with issues with tethering such as an unknown app /service being blocked therefore requiring firewall be disabled in order to tether, eg the modules might be required to help tethering function at all. I could be wrong and there are more knowledgeable people here that might be able to speak to this but I don't think a hack to circumvent service provider limits would go over well at Playstore. No moral judgement, I just think it might not be worth the risk for an app to allow that. Let's see what others and the developer have to say.
 

JohnC

Senior Member
May 5, 2007
592
122
Amazon Fire TV
Google Pixel 4a
I would expect that those modules have something to do with issues with tethering such as an unknown app /service being blocked therefore requiring firewall be disabled in order to tether, eg the modules might be required to help tethering function at all. I could be wrong and there are more knowledgeable people here that might be able to speak to this but I don't think a hack to circumvent service provider limits would go over well at Playstore. No moral judgement, I just think it might not be worth the risk for an app to allow that. Let's see what others and the developer have to say.
I totally understand what you are saying.

I would think it shouldn't be much of a risk because the NetShare app allows tether limit circumvention and it is still in the playstore with 1M+ downloads.
 
  • Like
Reactions: IronTechmonkey

ravts

Member
Sep 21, 2021
11
2
Afwall Xposed module, what is it exactly for? If I use LSPosed, to what apps should I appy this module?
 

TiTiB

Senior Member
Jun 19, 2015
900
678
Earth, for now
Afwall Xposed module, what is it exactly for? If I use LSPosed, to what apps should I appy this module?
@ukanth statement here might be of useto you. No timeline, but...
 
  • Like
Reactions: ukanth and ravts

starbright_

Senior Member
Apr 11, 2010
1,345
224
I have a very confusing situation while using AFWall when I am connected via VPN.
Til now I have 3 selections: LAN, WiFi, mobile data.
I have seen there is a additional VPN selection possible. Do I really have to use it when I am in a VPN connection? Imho best would be to use same rules as original connection (despite VPN) - so mobile data or WiFi, depending on what is the connection to my VPN server (my Router at home).
Other way asked: If I not enable the VPN rules to be shown - what setting is actual valid? And - if this is once set and disabled to display - does the previous setting is valid?

I could extend this question to LAN: I think if not enable to be shown it uses same rules as Wifi. Am I right?
 

markfm

Senior Member
Mar 27, 2013
493
170
At least a fair number of carriers appear to monitor for tethering use based on TTL, which requires something beyond simply blocking a tethering provisioning check.
 
  • Like
Reactions: Tom Mix

starbright_

Senior Member
Apr 11, 2010
1,345
224
I have a very confusing situation while using AFWall when I am connected via VPN.
Til now I have 3 selections: LAN, WiFi, mobile data.
I have seen there is a additional VPN selection possible. Do I really have to use it when I am in a VPN connection? Imho best would be to use same rules as original connection (despite VPN) - so mobile data or WiFi, depending on what is the connection to my VPN server (my Router at home).
Other way asked: If I not enable the VPN rules to be shown - what setting is actual valid? And - if this is once set and disabled to display - does the previous setting is valid?

I could extend this question to LAN: I think if not enable to be shown it uses same rules as Wifi. Am I right?
No one use AFwall with VPN and can share experience?
 

x-pve

Member
Aug 30, 2020
20
11
Prague
It depends :), why do you use VPN and how routing table is configured and what do you want to reach.
Do you want to access your home computer? Do you want access internet from your mobile device via your home router? Which VPN software do you use and what is your goal? I use VPN, bit can't aswer your question yet. Describe more your situation.
 

starbright_

Senior Member
Apr 11, 2010
1,345
224
It depends :), why do you use VPN and how routing table is configured and what do you want to reach.
Do you want to access your home computer? Do you want access internet from your mobile device via your home router? Which VPN software do you use and what is your goal? I use VPN, bit can't aswer your question yet. Describe more your situation.
I am using the build-in VPN with IPsec XAUTH PSK to communicate with my FritzBox Modem/Router. In fact I just want to access all services as I would be at home, especially my mediathek and live TV apps (Zapp, MTCast, ZDF mediathek ....).
And I do have the AFWall. Without that it seems I don't have problems. But with active AFWall it is strange.
As stated before I use for rules LAN, WIFI and 4G. LAN only for apps that should be controlled inside my network (as Heater, who don't have to access to outer world).
For a comparison I set my terminal so that I can ping the address and than used same setting for my TV app. But that doesn't work.
First and most important question: Do I need the VPN setting in AFWall if I don't want other rules than lets say WIFI?
What happens If I once set rules in VPN setting and disabled that again? Does the rules keep active and will just not displayed?
 

temporarium

Senior Member
I am using the build-in VPN with IPsec XAUTH PSK to communicate with my FritzBox Modem/Router. In fact I just want to access all services as I would be at home, especially my mediathek and live TV apps (Zapp, MTCast, ZDF mediathek ....).
And I do have the AFWall. Without that it seems I don't have problems. But with active AFWall it is strange.
As stated before I use for rules LAN, WIFI and 4G. LAN only for apps that should be controlled inside my network (as Heater, who don't have to access to outer world).
For a comparison I set my terminal so that I can ping the address and than used same setting for my TV app. But that doesn't work.
First and most important question: Do I need the VPN setting in AFWall if I don't want other rules than lets say WIFI?
What happens If I once set rules in VPN setting and disabled that again? Does the rules keep active and will just not displayed?
As far as I'm aware, in Android VPN is global. So once you establish a VPN connection, everything has to go through it.

In AFWall+, you need to enable your VPN app for wifi or mobile access, and you need to enable the apps for VPN access that you want to be able to connect through the tunnel, regardless of how the tunnel is connected.
 

haitower

Senior Member
Jun 27, 2017
65
9
I have 2 questions:
  1. If I want the donation version without google play, the developer states: "Please drop me an mail to (contact @ portgenix.com ) after your donation to get the unlocker APK (closed source for now) with details." But if I don't download it via an app store, how does the app get updated then?
  2. I want to forbid outbound traffic from a certain app. Is it possible to do this for just ONE app? Obviously if you forbid outbound traffic in the "Preferences -> Rules/Connectivity" section, it gets forbidden for ALL apps.
 

sabei

Senior Member
Jul 9, 2020
65
16
I want to forbid outbound traffic from a certain app. Is it possible to do this for just ONE app?
For me the whole point of the app is to control the individual items that are allowed to connect.

You have an allow selected or block selected setting which of course make no difference if you don't allow outgoing connections.
I have only 5 items in total allowed and could easily remove one of those.
 

haitower

Senior Member
Jun 27, 2017
65
9
For me the whole point of the app is to control the individual items that are allowed to connect.

You have an allow selected or block selected setting which of course make no difference if you don't allow outgoing connections.
I have only 5 items in total allowed and could easily remove one of those.
Sorry, I totally do not understand what you want to tell me. Could you explain it another way?

Is it now possible to allow/block inbound/outbound connections per app or not?

By "items", do you mean other apps?

I want to block outbound connections (unwanted tracking my data) from certain apps (e.g. Weather app) but allow inbound (weather data).
 
Aug 3, 2019
40
31
Berlin
If the developer sends me the apk, I guess I can't update it via f-droid, right?
Then I would have to manually check for updates because there is no auto update checker/reminder?
No, these are two different apks.
You can install the main apk from F-Droid and get it updated from there. For the paid version you receive a second apk (AFWall+ Unlock Key) from the developer which turns your installed apk into the donation version.
 
  • Like
Reactions: haitower

Uluru25

Senior Member
Nov 27, 2016
180
68
Samsung Galaxy S7
Samsung Galaxy A6
Sorry, I totally do not understand what you want to tell me. Could you explain it another way?

Is it now possible to allow/block inbound/outbound connections per app or not?

By "items", do you mean other apps?

I want to block outbound connections (unwanted tracking my data) from certain apps (e.g. Weather app) but allow inbound (weather data).
Ever thought to use XPrivacyLua to achieve this privacy saving?
 

haitower

Senior Member
Jun 27, 2017
65
9
Ever thought to use XPrivacyLua to achieve this privacy saving?
Yes, I even already installed LSPosed and was ready to go for XPrivacyLUA (I have used the old XPrivacy before) when I read this from the GrapheneOS lead developer:

xPrivacyLua is selfexplaining
It's not self-explaining, and see below for why you probably don't want this. You do probably want the ability to force apps to see fake data, but this doesn't do that. It's a client-side check inserted into the app that the app can bypass (even unintentionally, by using a different client-side implementation) or disable.

You should try to look for a rootless solution of your needs xprivacylua: virtualxposed (latest version from github) can be used to isolate apps and apply xprivacy rules to them.
It does not provide any isolation and cannot fundamentally improve privacy / security because it's based on client side checks, which is not a working approach. It relies on apps not accessing the data via other approaches or alternate implementations of the client-side code, which isn't uncommon. Apps can also detect it and simply work around it directly. This will only give you a false sense of privacy / security. Apps will likely use the fake data for their user-facing functionality, making you think that it works, but a tracking SDK bundled with the app can easily bypass this and harvest your data if you allow the permissions via the OS. This is harmful approach...
Source: Reddit

Now I'm in doubt if there is any sense in using it.. :/
 

Top Liked Posts

  • There are no posts matching your filters.
  • 6
    As there are some issues with Magisk Modules Repository I'll post it here.
    There are some situations when app gets access to Internet during boot process simply because AFWall does not start yet. The first obvious solution is always disabling Internet when rebooting or powering off the phone. The second solution - Magisk module I have created that disables Internet untill AFWall starts.
    It could be recognized as possible "antileak" solution.
    4
    I don't believe that is fully correct. The reason is that the whatsapp will not know when a new message comes in, and if it used the "data" line to check for new messages, it would have to continuously ping the server and ask the server "do I have new messages", which would keep the internet connection constantly open/active and use up a lot of data for all these "checks".

    Push messages use the SMS system so that it doesn't have to constantly "check" for new messages, instead the phone simply "waits" for a push notification (a special/hidden type of incoming SMS message) and then it will contact the server using a data connection to retrieve the new message.
    Push notifications generally use Google Cloud Messaging, so if you disable Google Services from internet access, you most likely will not receive notifications, unless the app has a setting to poll the server directly, but it can only do that if it has internet access.
    2
    Whatsapp is via data not SMS.

    But my question is, will afwall block push notification from OTHER apps when enabled to block internet? So for example, I want to deny push notification temporary from Facebook, discord and twitter (list is a lot longer, thus going through Android settings can be time consuming as this is temporary) , so when I use AFwall to disable internet access for these apps, will push notifications still come through?
    As @JohnC,suggests, you will get a notification, but without actual message info. With WhatsApp, the notification will just say: 'You may have new messages' and the content is only retrieved after you unblock WhatsApp again.
    2
    Isn't the standard of AFWall working properly?
    Nope. I really observed leaks with it. Unfortunately there are a number of things that does not work properly in AFWall especially in latest versions.
    1
    Quick question, if i deny an app, i assume I will deny the push notification service too for that app? I"m going to an area/event with very limited data access soon as it is going to be congested. so I want to have only whatsapp to be the only app with internet access during this area to connect with other groups in an event.. also I don't want to receive notifications temporary while being in this area other than whatsapp
    I believe push messages come into the phone on a SMS channel, so it is handled by the system and an intent is then sent to the appropriate app. So I'm thinking that the app should be able to receive the push message even without internet, but this push message could simply be a command for the app to connect to the app's server to retrieve the actual message (because the push message doesn't contain the actual message), and if you have internet access blocked, then that would prevent the app from retrieving the message.
  • 386
    Welcome to official support page for AFWall+

    Disclaimer - As Usual. I'll not take any responsible if something goes wrong when using AFWall+

    Introduction
    AFWall+ is an improved version of DroidWall(front-end application for the powerful iptables Linux firewall). It allows you to restrict which applications are permitted to access your data networks (2G/3G/4G/LTE and/or Wi-Fi and while in roaming).Since the original author of Droidwall
    discontinued the project, I decided to keep the app instead of Avast Firewall. I'll continue to add more features as I can.


    Features
    - Supports 5.x to 11.x
    - Import/Export Rules to external storage
    - Search Applications
    - Multiple Profiles with custom names
    - Tasker/Locale support
    - Select All/None/Invert/Clear applications with single click
    - Revamped Rules/Logs Viewer with copy/export to external storage
    - Ability to view the network interfaces
    - Highlight system applications with custom color
    - Notify on new installations
    - Ability to hide application icons( faster loading )
    - Use LockPattern for application protection.
    - Show/Hide application ID.
    - Roaming Control for 3G/Edge
    - VPN Control
    - LAN Control
    - Tether Control
    - IPV6 Control
    - Tor Control
    - Choose able languages
    - Choose able iptables/busybox binary
    - Supports MIPS/x86/ARM
    - DNS Hostname

    Changelog - See third Post
    Current Version - 3.5.2

    To get Unlocker without Google services - Please follow the instructions here

    AFWall+ BETA Program
    1) AFWall+ opt-in for beta program
    2) Install AFWall+ and If you have any issues, just send email from (Menu -> Firewall Rules - > Send error report)

    Source Code/Wiki/FAQ
    AFWall+ is an free & opensource application
    Github
    Log an issue
    Frequently Asked Questions
    Many Thanks to @CHEF-KOCH

    Translations
    Translations - Please help me with translations in your language.
    http://crowdin.net/project/afwall

    Thanks To/Credits
    - German translations by [email protected] & [email protected] & [email protected]
    - French translations by [email protected] & [email protected]
    - Russian translations by [email protected] & YaroslavKa78
    - Spanish translations by [email protected]
    - Dutch translations by [email protected]
    - Japanese translation by [email protected]
    - Ukrainian translation by [email protected]
    - Slovenian translation by bunga [email protected]
    - Chinese Simplified translation by [email protected]
    - Polish translations by tst,Piotr [email protected]
    - Swedish translations by [email protected]
    - Greek Translations by [email protected]
    - Portuguese translations by [email protected]
    - Chinese Traditional by [email protected]
    - Chinese Simplified by wuwufei,tianchaoren @ crowdin
    - Italian translations by [email protected]
    - Romanian tranlations by [email protected]
    - Czech translations by Syk3s

    Cheers,
    ukanth

    XDA:DevDB Information
    AFWall+ [ IPTables Firewall ], App for the Android General

    Contributors
    ukanth
    Source Code: https://github.com/ukanth/afwall


    Version Information
    Status:
    Stable
    Current Stable Version: 3.4.0
    Stable Release Date: 2020-02-09
    Current Beta Version: 3.5.0-BETA1
    Beta Release Date: 2020-09-05

    Created 2013-12-03
    Last Updated 2020-09-05
    70
    Version 3.0.1

    * Fix: Status toggle widget 1x1
    * Fix: Ability to hide ongoing notification (Stop firewall and restart to hide after disable it in preferences)
    * Fix: Firewall error notification on oreo and above
    * Security: Tile toggle checks for password
    * User reported crashes
    * Updated translations

    Previous version 3.0.0

    Features:
    * Better support for nougat/oreo and pie.
    * Firewall toggle tile
    * Adaptive Icons
    * Notification channels
    * Tor support

    Bugs:
    * General bug fixes and crash reports.
    * Language selection bug
    * Filter selection bug
    * Compatible with magisk 17.x
    * Better handling of background process
    * Drops support for 4.x devices
    * Update languages
    * Updated libraries

    Complete Changelog

    41
    Hello All,

    After careful analysis and testing, I decided not to rewrite the way rules are being applied due to lot of under hood changes required. Instead added few enhancements. Now applying rules from menu will show how many rules are getting applied with progress status. Also when adding/removing few rules , it will apply only those related rules instead of full apply.

    Also fixed couple of bugs and enhancements. You can get the full changelog from https://github.com/ukanth/afwall/blob/beta/Changelog.md

    This is BETA Version which is not released on playstore. I have been using this for past week and it's stable. But there might be bugs which I haven't encountered. Please test it and report it in case of any issues.

    Also I have been following XPrivacy thread on the decision by it's author. Just as FYI, I might fix it for my own usage when I update to nougat, I will share it here if anybody uses it here.

    BETA Link - https://www.dropbox.com/s/isvi413qyx6vb4d/AFWall+ 2.9.7-BETA-TESTER.apk?dl=0
    40
    Hello everyone,

    I have released 3.0.0 stable on playstore today. It's been a crazy month so far. After going through lot of dilemma of whether to support the existing afwall or write a new one from scratch, finally able to pull myself and release stable version of afwall with lots of bug fixes and new features along with pie support. Since I don't do full time Android development, it was hard to keep track of what's going on with sdk level changes.

    Thank you all for your support in AFWall+ development. Without your support it would simply not possible to pull through this.

    I will be out for couple of days ( taking off to spend time with my family ) and hopefully will be able to reply to questions once back.

    Thanks again and have a great day.
    35
    Hello everyone,

    I have released stable version of 3.1.0 to playstore and github. Its live on playstore. You can find the changelog along with md5/sha here

    https://github.com/ukanth/afwall/releases/tag/v3.1.0

    Thank you all for your continuous support in AFWall+ development.