[APP][4.0.3+ & GB][XPOSED] LightningWall

Search This thread

defim

Senior Member
Feb 18, 2012
2,744
1,489
Xposed app firewall.

This app is an firewall for the installed apps. Only apps with permission "android.permission.INTERNET" are
shown. IPv4 and IPv6 are supported together with TCP and UDP. You could configure outgoing and incomming
connections independent from each other.
The rules could be applied for each network: W-Lan, local network, mobile, roaming, unknown.
Logging is configurable for incomming/outgoing and allowed/denied connections.

Colors:
  • Blue: Template is used.
  • Yellow: Custom settings.
  • Green: The app is trusted.
  • Red: The app is blocked.
Features:
  • No iptables required, the kernel doesn't need to support it.
  • The firewall is active when Android starts, no startup data leak.
  • The rules are always active, no re-apply on connection change is needed.
Limitiation:
  • Host names in the log file are PTR entries.
  • Works only for Android (Java), not the native (Linux) part
Donation:
  • No self-promotion in the app.
  • You could trust or block an app (Menu/ActionBar)
  • You could use a template for not configured apps
  • Additional (experimental) networks: Bluetooth, WiMAX, Ethernet
  • Tasker support, per App
  • You support this app and further development!
Permissions:
  • ACCESS_SUPERUSER: apply iptables rules

This app does not connect itself to any websites or hosts!

Important:
This app needs the Xposed Framework. The framework requires root access for installation. Don't forget to enable the module in Xposed. You can grab it here: Xposed Installer

Website: http://tinyurl.com/l5bpv23
Play Store: http://tinyurl.com/ome2pvc
Xposed Repository: http://tinyurl.com/ksc6plz
Changelog: http://tinyurl.com/n8gsqja

Why this app? No firewall for Xposed exists yet :)

Translation:
You could find here a interface to translate the english strings: http://tinyurl.com/okycacj
A free account of www.oneskyapp.com is required to edit. Additional, please attach your email address or send it via PM ;)
 

Attachments

  • lightningwall0.png
    lightningwall0.png
    154.2 KB · Views: 23,321
  • lightningwall1.png
    lightningwall1.png
    176.9 KB · Views: 21,916
  • lightningwall2.png
    lightningwall2.png
    105.1 KB · Views: 20,541
  • lightningwall3.png
    lightningwall3.png
    113.8 KB · Views: 17,208
  • lightningwall4.png
    lightningwall4.png
    149.1 KB · Views: 15,800
  • lightningwall5.png
    lightningwall5.png
    113.9 KB · Views: 14,914
  • lightningwall6.png
    lightningwall6.png
    154.6 KB · Views: 14,346
Last edited:

shivadow

Senior Member
Jan 26, 2012
2,630
483
Insane.. I was looking for something like this about 12 hours ago.. its almost like you read my mind and made it just for me!.

I like your style. Nice and simple and keeping it in line with your others.

Sent from my GT-I9300 using Tapatalk
 

defim

Senior Member
Feb 18, 2012
2,744
1,489
Insane.. I was looking for something like this about 12 hours ago.. its almost like you read my mind and made it just for me!.

I like your style. Nice and simple and keeping it in line with your others.

Sent from my GT-I9300 using Tapatalk

Maybe you head me thinking loud 6 weeks after starting this app: "i will release today, if there are still error, i'll fix them later" :D
 

defim

Senior Member
Feb 18, 2012
2,744
1,489
I got a question about incoming/outgoing connections, maybe somone else want to know:
Incoming connections are used by less than 1% of all apps. This is used if the app is a "server", like BubbleUPnP. So most time incoming conections could be blocked, i think for mobile network 100%.
An outgoing connection is like a phone call: You call someone (outgoing connection), and can talk (send "data") and hear (receive "data")

Wifi Internet and Network:
If you want to control eg your local tv-receiver, xbmc device or avm router (with FreetzMobil), only connections to the local network are required. This prevents app to send data to the internet.
The "local network" are all "private" IPv4 and IPv6, they will not be forwarded by internet routers. Additionally, if you use "public" IPs they are local if it is in the same subnet as a ip of your device. Uncommon for IPv4 usage, but public IPv6 are the common usage (public IPv6 for every device)


Am I correct in assuming this is not open source?

As usual i send source only to people i know
 
Last edited:
  • Like
Reactions: w0rinal

an0n981

Senior Member
Jul 27, 2013
1,487
967
I took this mod for a quick test drive, a little feedback:
-Is it not possible to restrict kernel?
-Could it be that apps that use native libraries to connect to the internet cannot be restricted? Firefox and Mega (both use native libraries) were able to connect even when completely restricted.
Also a little cosmetic issue com.android.process.gapps showed completely green at all times. However restrictions were applied properly
 
  • Like
Reactions: banderos101

defim

Senior Member
Feb 18, 2012
2,744
1,489
I took this mod for a quick test drive, a little feedback:
-Is it not possible to restrict kernel?
-Could it be that apps that use native libraries to connect to the internet cannot be restricted? Firefox and Mega (both use native libraries) were able to connect even when completely restricted.
Also a little cosmetic issue com.android.process.gapps showed completely green at all times. However restrictions were applied properly

Yes, see OP: "Limitiation: ... no native binaries." This is because the design of Xposed
Isn't it "com.google.process.gapps"? Onyl this one app has the wrong colors? Has it a green dot for "trusted app"? What did you configured for it?
 

an0n981

Senior Member
Jul 27, 2013
1,487
967
Yes I meant com.google....
I set it from template to custom, blocked everything, however in the app overview it still showed as all green. When it was restricted GCM was blocked and the log showed blocked connections to mtalk.google.com:5228. Then I unrestricted outgoing mobile and wifi and GCM was available and the log correctly showed allowed connections but the colors in the app overview didn't change
 

defim

Senior Member
Feb 18, 2012
2,744
1,489
Version 1.0.1 uploaded
- fix "incoming" thx @w0rinal
- also an error related to coloring, @an0n981 can you check if it fixes your problem? Toggling options could be required
 

an0n981

Senior Member
Jul 27, 2013
1,487
967
- also an error related to coloring, @an0n981 can you check if it fixes your problem? Toggling options could be required

Sorry the bug is still present
Also 1 more questions. Do you see any problem running this along side AFWall?
 

Attachments

  • 1399837921484.jpg
    1399837921484.jpg
    126.2 KB · Views: 2,333
  • 1399837941994.jpg
    1399837941994.jpg
    39.4 KB · Views: 2,248
  • 1399837959899.jpg
    1399837959899.jpg
    211.9 KB · Views: 2,257
Last edited:

an0n981

Senior Member
Jul 27, 2013
1,487
967
The bug affects any app that starts end ends with <>. <android.media> and <org.mozilla.firefox.sharedid> also always revert back to displaying completely green once the app is reloaded
 

defim

Senior Member
Feb 18, 2012
2,744
1,489
Also 1 more questions. Do you see any problem running this along side AFWall?

No, should work without problems. The one created iptables rules other hooks the connection methods - if one fails, the other does it :)

The bug affects any app that starts end ends with <>. <android.media> and <org.mozilla.firefox.sharedid> also always revert back to displaying completely green once the app is reloaded

The "<>" entries are not real apps (.apks) with a package name, they are uids. At app start i load all installed apps with internet-permission and hide apps which are no more installed / have not any longer the permissions -> the uid items are not in the list of installed apps (obviously) :eek:
Will be fixed in next release
EDIT: Uploaded
 
Last edited:
  • Like
Reactions: an0n981

jaibar

Senior Member
Feb 2, 2011
1,723
1,047
Underwater, no Sh!t
picasaweb.google.com
This is awesome ?



A few questions:

- is there a way to edit template? I couldn't find it anywhere in settings- am I missing something?

- Can you add multiple selection? For example, someone has lots of apps and wants to block roaming to them etc. etc. without having to change it manually for each app.

- filtering or sorting apps? perhaps something simple like the way afwall , or a more thorough filter like XPrivacy has?

Sent from my Nexus 5 using Tapatalk
 
Last edited:

an0n981

Senior Member
Jul 27, 2013
1,487
967
The "<>" entries are not real apps (.apks) with a package name, they are uids. At app start i load all installed apps with internet-permission and hide apps which are no more installed / have not any longer the permissions -> the uid items are not in the list of installed apps (obviously) :eek:
Will be fixed in next release
EDIT: Uploaded

Confirmed fixed
 

defim

Senior Member
Feb 18, 2012
2,744
1,489
This is awesome ?



A few questions:

- is there a way to edit template? I couldn't find it anywhere in settings- am I missing something?

- Can you add multiple selection? For example, someone has lots of apps and wants to block roaming to them etc. etc. without having to change it manually for each app.

- filtering or sorting apps? perhaps something simple like the way afwall , or a more thorough filter like XPrivacy has?

Sent from my Nexus 5 using Tapatalk

The template is used for all "blue" apps, which where are not configured by user. Modifying template is part of the donator options (see OP).

Btw, next planned feature: detection of VPN connections
 
  • Like
Reactions: banderos101

mermaidkiller

Senior Member
Jul 25, 2011
186
14
The template is used for all "blue" apps, which where are not configured by user. Modifying template is part of the donator options (see OP).

Btw, next planned feature: detection of VPN connections

Nice feature !
I dry tested this app (i.e. not checked in the Xposed module on my device) and already saw that the VPN was missing. Now I use AFWall+ which is good and has more profiles. I block all Google apps with it with a 'limited internet' profile and every time I download something from Play, I load another profile which allows 'Google Play services' and 'Google Play store' internet connection and after download/update I revert to 'Limited internet'.

On my Mac I have 'Little Snitch' firewall which has the ability to let it prompt for certain apps which I don't want to be connected permanently (such as the Mac App Store), but only when I do e.g. an OSX update. In that case I let it prompt and say 'only this time'.

A similar approach on LightingWall should be very welcome. E.g. a notification that the Play store wants to connect with internet and when one wants to download / update an app, say 'only this time' and not permanently.
 
  • Like
Reactions: banderos101

banderos101

Senior Member
Dec 26, 2010
1,261
374
Nice feature !
I dry tested this app (i.e. not checked in the Xposed module on my device) and already saw that the VPN was missing. Now I use AFWall+ which is good and has more profiles. I block all Google apps with it with a 'limited internet' profile and every time I download something from Play, I load another profile which allows 'Google Play services' and 'Google Play store' internet connection and after download/update I revert to 'Limited internet'.

On my Mac I have 'Little Snitch' firewall which has the ability to let it prompt for certain apps which I don't want to be connected permanently (such as the Mac App Store), but only when I do e.g. an OSX update. In that case I let it prompt and say 'only this time'.

A similar approach on LightingWall should be very welcome. E.g. a notification that the Play store wants to connect with internet and when one wants to download / update an app, say 'only this time' and not permanently.

Xprivacy implements a similar thing, allowing the user to be informed when one of the restrictions are asking for access of that permission, including internet permissions(no distiction between lan or vpn), i would also welcome an on demand prompt feature for this app, its one faeture i wished afwall had, but believe it cant because of the nature of iptables i believe,
Saying that im also kinda worried that this might conflict, two apps essentially fighting for control to "pause" the system, hope im wrong, maybe if the two devs of the two respective apps co-orporated in implementation,it might be resolved, if there is an issue, i dont know........... but im getting ahead of myself here, defim has not even stated that he'll implement this, still, no harm in discussing possibilities, slim or not
 
Last edited:

defim

Senior Member
Feb 18, 2012
2,744
1,489
@banderos101 @mermaidkillerIf you want to be informed if an app is allowed or denied to access some hosts, you could get it with Tasker. Just with a simple message box or more enhanced things Tasker can do. It should not be a problem using this app wiht Xprivacy, AFwal etc. If you block a connection with one app, it could be that the others can't see/log it. This depends on the order of the apps, An iptables firewall should be the last the connection is passing.
A per host filter is not planned, if you want to stop connection to some (tracking, malwar, adware) hosts a hosts file filter could be used, like my UnbelovedHosts
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 45
    Xposed app firewall.

    This app is an firewall for the installed apps. Only apps with permission "android.permission.INTERNET" are
    shown. IPv4 and IPv6 are supported together with TCP and UDP. You could configure outgoing and incomming
    connections independent from each other.
    The rules could be applied for each network: W-Lan, local network, mobile, roaming, unknown.
    Logging is configurable for incomming/outgoing and allowed/denied connections.

    Colors:
    • Blue: Template is used.
    • Yellow: Custom settings.
    • Green: The app is trusted.
    • Red: The app is blocked.
    Features:
    • No iptables required, the kernel doesn't need to support it.
    • The firewall is active when Android starts, no startup data leak.
    • The rules are always active, no re-apply on connection change is needed.
    Limitiation:
    • Host names in the log file are PTR entries.
    • Works only for Android (Java), not the native (Linux) part
    Donation:
    • No self-promotion in the app.
    • You could trust or block an app (Menu/ActionBar)
    • You could use a template for not configured apps
    • Additional (experimental) networks: Bluetooth, WiMAX, Ethernet
    • Tasker support, per App
    • You support this app and further development!
    Permissions:
    • ACCESS_SUPERUSER: apply iptables rules

    This app does not connect itself to any websites or hosts!

    Important:
    This app needs the Xposed Framework. The framework requires root access for installation. Don't forget to enable the module in Xposed. You can grab it here: Xposed Installer

    Website: http://tinyurl.com/l5bpv23
    Play Store: http://tinyurl.com/ome2pvc
    Xposed Repository: http://tinyurl.com/ksc6plz
    Changelog: http://tinyurl.com/n8gsqja

    Why this app? No firewall for Xposed exists yet :)

    Translation:
    You could find here a interface to translate the english strings: http://tinyurl.com/okycacj
    A free account of www.oneskyapp.com is required to edit. Additional, please attach your email address or send it via PM ;)
    4
    @Magissia: Package name, because the UID could change if you install a new row.
    @vulkahn89: Own iptables rules are not implemented (maybe later when Oreo is fully working). But the app does not remove lines not created by itself. So you could use another app which does it at startup. But why does not change it in network settings?
    @SJD Ayy: Update is planned
    3
    I'm new to all of this, so just a innocent question: does one really need a firewall on an Android device?

    If so, I'm downloading this right now!

    Tapatalk | Samsung Galaxy S4
    It's up to you if you need or want one. For example, you happen to see that your favorite torch app keeps constantly communicating outside. Now, that is sort of behavior that for the browser you probably don't mind and really want to allow internet access, but the torch? Why does it go on internet? Never mind, you can just firewall it...

    Suppose you really really don't mind all your apps accessing internet while you're in wifi, but you have limited plan on cellular data, and that torch app is eating and munching all of your quota... Firewall it and give only WiFi access.

    Traveling abroad? You may just find that your vacation cost has just doubled itself the first minute you opened the phone abroad. All of your apps sync'ing data, this may cost you a little fortune. Now, you have built in option to disable data while roaming, but I think it disables all of your data access, whereas you want to block all apps while roaming except maps, translate and email which you decided are helpful and need them in vacation. No problem, firewall is your friend.

    And it's also good for various levels of paranoia. A firewall+ XPrivacy and you start feeling the NSA/KGB/Whatever can't have a go at you. Not sure if it really helps against security agencies, but it gives you a feeling that at least you are doing something... [emoji16]
    3
    Would this app along with adaway and unbeloved installed together cause any issues?
    No, it won't. I have been using all three of them.

    Sent from my "GT-I9300/1+1" powered by Carbon Rom & Boeffla/ak Kernel
    Fueled by 7000mAh ZeroLemon Battery
    3
    Lightningwall is not listed here. What's the status, please?

    See my signature: "All my apps are compatible with Android 6."