[APP][4.0.3+ & GB][XPOSED] LightningWall

defim

Senior Member
Feb 18, 2012
2,744
1,487
0
Xposed app firewall.

This app is an firewall for the installed apps. Only apps with permission "android.permission.INTERNET" are
shown. IPv4 and IPv6 are supported together with TCP and UDP. You could configure outgoing and incomming
connections independent from each other.
The rules could be applied for each network: W-Lan, local network, mobile, roaming, unknown.
Logging is configurable for incomming/outgoing and allowed/denied connections.

Colors:
  • Blue: Template is used.
  • Yellow: Custom settings.
  • Green: The app is trusted.
  • Red: The app is blocked.
Features:
  • No iptables required, the kernel doesn't need to support it.
  • The firewall is active when Android starts, no startup data leak.
  • The rules are always active, no re-apply on connection change is needed.
Limitiation:
  • Host names in the log file are PTR entries.
  • Works only for Android (Java), not the native (Linux) part
Donation:
  • No self-promotion in the app.
  • You could trust or block an app (Menu/ActionBar)
  • You could use a template for not configured apps
  • Additional (experimental) networks: Bluetooth, WiMAX, Ethernet
  • Tasker support, per App
  • You support this app and further development!
Permissions:
  • ACCESS_SUPERUSER: apply iptables rules

This app does not connect itself to any websites or hosts!

Important:
This app needs the Xposed Framework. The framework requires root access for installation. Don't forget to enable the module in Xposed. You can grab it here: Xposed Installer

Website: http://tinyurl.com/l5bpv23
Play Store: http://tinyurl.com/ome2pvc
Xposed Repository: http://tinyurl.com/ksc6plz
Changelog: http://tinyurl.com/n8gsqja

Why this app? No firewall for Xposed exists yet :)

Translation:
You could find here a interface to translate the english strings: http://tinyurl.com/okycacj
A free account of www.oneskyapp.com is required to edit. Additional, please attach your email address or send it via PM ;)
 

Attachments

Last edited:

shivadow

Senior Member
Jan 26, 2012
2,559
471
0
Insane.. I was looking for something like this about 12 hours ago.. its almost like you read my mind and made it just for me!.

I like your style. Nice and simple and keeping it in line with your others.

Sent from my GT-I9300 using Tapatalk
 

defim

Senior Member
Feb 18, 2012
2,744
1,487
0
Insane.. I was looking for something like this about 12 hours ago.. its almost like you read my mind and made it just for me!.

I like your style. Nice and simple and keeping it in line with your others.

Sent from my GT-I9300 using Tapatalk
Maybe you head me thinking loud 6 weeks after starting this app: "i will release today, if there are still error, i'll fix them later" :D
 

defim

Senior Member
Feb 18, 2012
2,744
1,487
0
I got a question about incoming/outgoing connections, maybe somone else want to know:
Incoming connections are used by less than 1% of all apps. This is used if the app is a "server", like BubbleUPnP. So most time incoming conections could be blocked, i think for mobile network 100%.
An outgoing connection is like a phone call: You call someone (outgoing connection), and can talk (send "data") and hear (receive "data")

Wifi Internet and Network:
If you want to control eg your local tv-receiver, xbmc device or avm router (with FreetzMobil), only connections to the local network are required. This prevents app to send data to the internet.
The "local network" are all "private" IPv4 and IPv6, they will not be forwarded by internet routers. Additionally, if you use "public" IPs they are local if it is in the same subnet as a ip of your device. Uncommon for IPv4 usage, but public IPv6 are the common usage (public IPv6 for every device)


Am I correct in assuming this is not open source?
As usual i send source only to people i know
 
Last edited:
  • Like
Reactions: w0rinal

an0n981

Senior Member
Jul 27, 2013
1,487
967
0
I took this mod for a quick test drive, a little feedback:
-Is it not possible to restrict kernel?
-Could it be that apps that use native libraries to connect to the internet cannot be restricted? Firefox and Mega (both use native libraries) were able to connect even when completely restricted.
Also a little cosmetic issue com.android.process.gapps showed completely green at all times. However restrictions were applied properly
 
  • Like
Reactions: banderos101

defim

Senior Member
Feb 18, 2012
2,744
1,487
0
I took this mod for a quick test drive, a little feedback:
-Is it not possible to restrict kernel?
-Could it be that apps that use native libraries to connect to the internet cannot be restricted? Firefox and Mega (both use native libraries) were able to connect even when completely restricted.
Also a little cosmetic issue com.android.process.gapps showed completely green at all times. However restrictions were applied properly
Yes, see OP: "Limitiation: ... no native binaries." This is because the design of Xposed
Isn't it "com.google.process.gapps"? Onyl this one app has the wrong colors? Has it a green dot for "trusted app"? What did you configured for it?
 

an0n981

Senior Member
Jul 27, 2013
1,487
967
0
Yes I meant com.google....
I set it from template to custom, blocked everything, however in the app overview it still showed as all green. When it was restricted GCM was blocked and the log showed blocked connections to mtalk.google.com:5228. Then I unrestricted outgoing mobile and wifi and GCM was available and the log correctly showed allowed connections but the colors in the app overview didn't change
 

an0n981

Senior Member
Jul 27, 2013
1,487
967
0
The bug affects any app that starts end ends with <>. <android.media> and <org.mozilla.firefox.sharedid> also always revert back to displaying completely green once the app is reloaded
 

defim

Senior Member
Feb 18, 2012
2,744
1,487
0
Also 1 more questions. Do you see any problem running this along side AFWall?
No, should work without problems. The one created iptables rules other hooks the connection methods - if one fails, the other does it :)

The bug affects any app that starts end ends with <>. <android.media> and <org.mozilla.firefox.sharedid> also always revert back to displaying completely green once the app is reloaded
The "<>" entries are not real apps (.apks) with a package name, they are uids. At app start i load all installed apps with internet-permission and hide apps which are no more installed / have not any longer the permissions -> the uid items are not in the list of installed apps (obviously) :eek:
Will be fixed in next release
EDIT: Uploaded
 
Last edited:
  • Like
Reactions: an0n981

jaibar

Senior Member
Feb 2, 2011
1,723
1,047
143
Underwater, no Sh!t
picasaweb.google.com
This is awesome ?



A few questions:

- is there a way to edit template? I couldn't find it anywhere in settings- am I missing something?

- Can you add multiple selection? For example, someone has lots of apps and wants to block roaming to them etc. etc. without having to change it manually for each app.

- filtering or sorting apps? perhaps something simple like the way afwall , or a more thorough filter like XPrivacy has?

Sent from my Nexus 5 using Tapatalk
 
Last edited:

an0n981

Senior Member
Jul 27, 2013
1,487
967
0
The "<>" entries are not real apps (.apks) with a package name, they are uids. At app start i load all installed apps with internet-permission and hide apps which are no more installed / have not any longer the permissions -> the uid items are not in the list of installed apps (obviously) :eek:
Will be fixed in next release
EDIT: Uploaded
Confirmed fixed
 

defim

Senior Member
Feb 18, 2012
2,744
1,487
0
This is awesome ?



A few questions:

- is there a way to edit template? I couldn't find it anywhere in settings- am I missing something?

- Can you add multiple selection? For example, someone has lots of apps and wants to block roaming to them etc. etc. without having to change it manually for each app.

- filtering or sorting apps? perhaps something simple like the way afwall , or a more thorough filter like XPrivacy has?

Sent from my Nexus 5 using Tapatalk
The template is used for all "blue" apps, which where are not configured by user. Modifying template is part of the donator options (see OP).

Btw, next planned feature: detection of VPN connections
 
  • Like
Reactions: banderos101

mermaidkiller

Senior Member
Jul 25, 2011
171
11
0
The template is used for all "blue" apps, which where are not configured by user. Modifying template is part of the donator options (see OP).

Btw, next planned feature: detection of VPN connections
Nice feature !
I dry tested this app (i.e. not checked in the Xposed module on my device) and already saw that the VPN was missing. Now I use AFWall+ which is good and has more profiles. I block all Google apps with it with a 'limited internet' profile and every time I download something from Play, I load another profile which allows 'Google Play services' and 'Google Play store' internet connection and after download/update I revert to 'Limited internet'.

On my Mac I have 'Little Snitch' firewall which has the ability to let it prompt for certain apps which I don't want to be connected permanently (such as the Mac App Store), but only when I do e.g. an OSX update. In that case I let it prompt and say 'only this time'.

A similar approach on LightingWall should be very welcome. E.g. a notification that the Play store wants to connect with internet and when one wants to download / update an app, say 'only this time' and not permanently.
 
  • Like
Reactions: banderos101

banderos101

Senior Member
Dec 26, 2010
1,261
374
0
Nice feature !
I dry tested this app (i.e. not checked in the Xposed module on my device) and already saw that the VPN was missing. Now I use AFWall+ which is good and has more profiles. I block all Google apps with it with a 'limited internet' profile and every time I download something from Play, I load another profile which allows 'Google Play services' and 'Google Play store' internet connection and after download/update I revert to 'Limited internet'.

On my Mac I have 'Little Snitch' firewall which has the ability to let it prompt for certain apps which I don't want to be connected permanently (such as the Mac App Store), but only when I do e.g. an OSX update. In that case I let it prompt and say 'only this time'.

A similar approach on LightingWall should be very welcome. E.g. a notification that the Play store wants to connect with internet and when one wants to download / update an app, say 'only this time' and not permanently.
Xprivacy implements a similar thing, allowing the user to be informed when one of the restrictions are asking for access of that permission, including internet permissions(no distiction between lan or vpn), i would also welcome an on demand prompt feature for this app, its one faeture i wished afwall had, but believe it cant because of the nature of iptables i believe,
Saying that im also kinda worried that this might conflict, two apps essentially fighting for control to "pause" the system, hope im wrong, maybe if the two devs of the two respective apps co-orporated in implementation,it might be resolved, if there is an issue, i dont know........... but im getting ahead of myself here, defim has not even stated that he'll implement this, still, no harm in discussing possibilities, slim or not
 
Last edited:

defim

Senior Member
Feb 18, 2012
2,744
1,487
0
@banderos101 @mermaidkillerIf you want to be informed if an app is allowed or denied to access some hosts, you could get it with Tasker. Just with a simple message box or more enhanced things Tasker can do. It should not be a problem using this app wiht Xprivacy, AFwal etc. If you block a connection with one app, it could be that the others can't see/log it. This depends on the order of the apps, An iptables firewall should be the last the connection is passing.
A per host filter is not planned, if you want to stop connection to some (tracking, malwar, adware) hosts a hosts file filter could be used, like my UnbelovedHosts
 
Last edited: