SEVERE SECURITY WARNING:
AFWALL default functionality might NOT (and probably for many will NOT) secure your Android phone.
EXPECTED BEHAVIOR:
A secure firewall must block incoming connections that are not initiated by the user.
ACTUAL BEHAVIOR:
a) using the latest version 3.5.2 and I discovered erratic behavior by the app when trying to run a custom script to set incoming packet policy to DROP and accept only related and established incoming connections. AFWall errored out when trying to set the rules.
b) depending on your ROM you might have INPUT chain rules that need to be vetted, which relies on custom scripting errors out. For example, a Samsung stock Rom on a 2020 device has "input_dos" chain rule within INPUT chain that explicitly allows ctstate "NEW" packets through. Must not happen in a secure firewall that only wants to accept established and related state incoming packets.
WORKAROUND:
What works for the time being as a workaround is:
a) set up AFWall focusing on app permissions which should cover the OUTPUT part of the firewall.
b) change the INPUT chain rules manually via terminal to drop incoming packets except for established/related connection state packets and remove rules that bypass this restriction.
------
This tight INPUT chain has nearly doubled my battery life (4000 mAh Li-Po from 10hrs to 20 hrs).
AFWALL default functionality might NOT (and probably for many will NOT) secure your Android phone.
EXPECTED BEHAVIOR:
A secure firewall must block incoming connections that are not initiated by the user.
ACTUAL BEHAVIOR:
a) using the latest version 3.5.2 and I discovered erratic behavior by the app when trying to run a custom script to set incoming packet policy to DROP and accept only related and established incoming connections. AFWall errored out when trying to set the rules.
b) depending on your ROM you might have INPUT chain rules that need to be vetted, which relies on custom scripting errors out. For example, a Samsung stock Rom on a 2020 device has "input_dos" chain rule within INPUT chain that explicitly allows ctstate "NEW" packets through. Must not happen in a secure firewall that only wants to accept established and related state incoming packets.
WORKAROUND:
What works for the time being as a workaround is:
a) set up AFWall focusing on app permissions which should cover the OUTPUT part of the firewall.
b) change the INPUT chain rules manually via terminal to drop incoming packets except for established/related connection state packets and remove rules that bypass this restriction.
------
This tight INPUT chain has nearly doubled my battery life (4000 mAh Li-Po from 10hrs to 20 hrs).
Last edited: