[5.0+][ROOT][3.6.0] AFWall+ IPTables Firewall [28 AUG 2023]

[notNSA]

SEVERE SECURITY WARNING:
AFWALL default functionality might NOT (and probably for many will NOT) secure your Android phone.

EXPECTED BEHAVIOR:
A secure firewall must block incoming connections that are not initiated by the user.

ACTUAL BEHAVIOR:
a) using the latest version 3.5.2 and I discovered erratic behavior by the app when trying to run a custom script to set incoming packet policy to DROP and accept only related and established incoming connections. AFWall errored out when trying to set the rules.

b) depending on your ROM you might have INPUT chain rules that need to be vetted, which relies on custom scripting errors out. For example, a Samsung stock Rom on a 2020 device has "input_dos" chain rule within INPUT chain that explicitly allows ctstate "NEW" packets through. Must not happen in a secure firewall that only wants to accept established and related state incoming packets.

WORKAROUND:
What works for the time being as a workaround is:

a) set up AFWall focusing on app permissions which should cover the OUTPUT part of the firewall.

b) change the INPUT chain rules manually via terminal to drop incoming packets except for established/related connection state packets and remove rules that bypass this restriction.

------
This tight INPUT chain has nearly doubled my battery life (4000 mAh Li-Po from 10hrs to 20 hrs).

 

[FFW]

Thanks for your explanation of "Clat"!
Just a last guess: How is your handling of IPv4 and IPv6 Chains?
I can't use IPv6, so I didn't enable it.

This is the setting of my Moto G Play phone and Samsung Galaxy Tab S2, both LOS 17.1:

View attachment 5340641

I have it active. Adjusting the setting what I see on your screenshot does not help as well though. It seems either my XZ1 Compact is in some way different - or my Wireguard VPN makes a difference ;-)

Well, I still hope from some ideas from @ukanth - either here or on his github site... but thanks for trying to help!

Edit: I found one difference between our settings though: If I set the "Input chain" setting to "blocked", Wireguard (and thus, anything else) does not get any web access on 3.4.0 as well. Might be logical since AFAIK Wireguard acts as a local "router interface". So this is a clear difference between your devices and mine.

Maybe there is some change between 3.4.0 and 3.5.x that causes this chain setting to break...?

 

[eriol1]

SEVERE SECURITY WARNING:
AFWALL default functionality might NOT (and probably for many will NOT) secure your Android phone.

EXPECTED BEHAVIOR:
A secure firewall must block incoming connections that are not initiated by the user.

ACTUAL BEHAVIOR:
a) using the latest version 3.5.2 and I discovered erratic behavior by the app when trying to run a custom script to set incoming packet policy to DROP and accept only related and established incoming connections. AFWall errored out when trying to set the rules.

b) depending on your ROM you might have INPUT chain rules that need to be vetted, which relies on custom scripting errors out. For example, a Samsung stock Rom on a 2020 device has "input_dos" chain rule within INPUT chain that explicitly allows ctstate "NEW" packets through. Must not happen in a secure firewall that only wants to accept established and related state incoming packets.

WORKAROUND:
What works for the time being as a workaround is:

a) set up AFWall focusing on app permissions which should cover the OUTPUT part of the firewall.

b) change the INPUT chain rules manually via terminal to drop incoming packets except for established/related connection state packets and remove rules that bypass this restriction.

------
This tight INPUT chain has nearly doubled my battery life (4000 mAh Li-Po from 10hrs to 20 hrs).

AFAIK, AFWall never claimed to block any incoming connections. The main purpose is to block unwanted outgoing connections.
Android itself maybe blocks some incoming connections? but android probably has a very different idea of what an unwanted connection is

Nevertheless, thanks for the important info and nice effect on the battery

 

[shutdown-h_now]

b) change the INPUT chain rules manually via terminal to drop incoming packets except for established/related connection state packets and remove rules that bypass this restriction.

My custom start-up script with DROP-policy for unwanted (not whitelisted) incoming traffic fortunately doesn't produce errors on v3.5.2.1.

Often after booting up the phone AFWall+ can't get root access despite Magisk is set to grant it always. AFWall+ then disables the firewall. I start it again, enable firewall and the script and rules get applied. A somehow peculiar behaviour ...

---
Edit: Also tried to work with timeouts before getting the rules applied. This doesn't help, either.

 

[Tappad]

I had AFwall+, worked like a charm. Had to wipe my phone and I did export my rules etc but I can only import them on the pro version, which I cant afford atm. But I once found a guide to help me with which apps/functions to block but I cant seem to find it now.

So, any idea where I can find a guide describing what ex multicast is and what to block etc?

 

[Kilito!!*-*]

Uh ... I need a little help



It's been a long time since I found that thing that says "AppID : -1"



My cell phone overheats because it tries to connect to the internet about 20,000 times every time I look at it, and this is the only application where there is any evidence of this so I wanted to know if you know what it is...



I've tried to find the application that causes this in many ways but can't find anything



Uh ... help

 

[PietZeHut]

Hi All,
my moto g7 power is unlocked, has LOS18 (lineage-18.1-20210724-nightly-ocean) installed and is using AFWall+.
Unfortunately AFWall is blocknig other devices to connect to my moto g7 power via wifi tethering.
Can anyone guide me how to configure AFWall to allow it?
Many thanks !

 

[EngineerMind]

I know this may sound like a newbie question, but I just want to understand how this app works.

From what I understand, it modifies the "IPTables" which I believe are config files that tell the internal network system how to route data packets.

So, if this app modifies the IPTables files to apply my rules, then why when I reboot my device, it displays "Applying Rules" again on boot up? Meaning, if the IPTables were modified when I last used this app, then I would think these IPTables files would remember their settings in-between boots, so there should be no reason to reapply them after a reboot. So why does this app need to reapply the same rules after a reboot?

Or is it that any changes to the IPTables are only valid for the current device session, and when the device gets rebooted, the iptables are cleared, and that is why this app needs to reapply them?

If this second theory is the case, then does that mean that apps (that I blocked in afall) will be able to reach the internet for the first ~30 seconds right when the device is booting up, but before afwall+ has the chance to reapply the rules?

 

[TriMoon]

I know this may sound like a newbie question, but I just want to understand how this app works.

From what I understand, it modifies the "IPTables" which I believe are config files that tell the internal network system how to route data packets.

No it is not any config files...
It is the name of the networking functionality of the kernel.
It's rules are kept in memory and need to be reapplied after each boot.

 

[EngineerMind]

No it is not any config files...
It is the name of the networking functionality of the kernel.
It's rules are kept in memory and need to be reapplied after each boot.

Wow - so apps can get internet access for around a minute right after bootup (before afwall can apply the rules).

 

[TriMoon]

Wow - so apps can get internet access for around a minute right after bootup (before afwall can apply the rules).

That could be the case, I don't know because I haven't used AFWall for years so I don't know how and when it applies the rules.
My answer is from a general Linux knowledge point of view.

 

[Uluru25]

Wow - so apps can get internet access for around a minute right after bootup (before afwall can apply the rules).

Check preferences/experimental:

 

[b00b]

Wow - so apps can get internet access for around a minute right after bootup (before afwall can apply the rules).

yes they cld and thats all some apps need so as to send info home but the simplest way around that is to turn off mobile internet as well as wifi before reboot and wait about a minute after boot for the firewall to have started before reconnecting internet access

 

[EngineerMind]

Check preferences/experimental:

I have two questions:

1) How do i use the "Startup Directory Path for Script" setting?
2) The "Fix startup data leak" is greyed out - is this because I have Magisk (systemless)?

 

[EEngineer]

yes they cld and thats all some apps need so as to send info home but the simplest way around that is to turn off mobile internet as well as wifi before reboot and wait about a minute after boot for the firewall to have started before reconnecting internet access

I have AFWall+ and before I reboot or shut down my phone (which is at least once a week) I put my phone in airplane mode first.

I also have "Fix startup data leak" greyed out, and I have both int.d and SU installed. What's the deal?

 

[Uluru25]

I have two questions:

1) How do i use the "Startup Directory Path for Script" setting?
2) The "Fix startup data leak" is greyed out - is this because I have Magisk (systemless)?

Just click (first!) on the startup directory path and activate it here. Then the outgreying of fixing the startup data leak will dissappear and you can activate it.

 

[EngineerMind]

Just click (first!) on the startup directory path and activate it here. Then the outgreying of fixing the startup data leak will dissappear and you can activate it.

I have two entries for that option - which one should I select?

 

[EEngineer]

I have two entries for that option - which one should I select?

I have three entries for startup directory:
/su/su.d/
/system/etc/init.d/
/etc/init.d/

Which one?

EDITED: Corrected int.d to init.d

 

[Uluru25]

I have three entries for startup directory:
/su/su.d/
/system/etc/int.d/
/etc/int.d/

Which one?

Sorry, I can't help you here, but I remember that this question was asked (and answered) several times in this thread. Just search for "startup directory path" and you will get some answers.

 

[EEngineer]

Sorry, I can't help you here, but I remember that this question was asked (and answered) several times in this thread. Just search for "startup directory path" and you will get some answers.

XDA thread search hasn't worked for months.