• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[APP][6.0+] NetGuard - No-root firewall

What are you mainly using NetGuard for?

  • Reducing data usage

    Votes: 434 30.5%
  • Saving battery

    Votes: 305 21.4%
  • Increasing privacy

    Votes: 774 54.3%
  • Blocking ads

    Votes: 919 64.5%

  • Total voters
    1,425
Search This thread

M66B

Recognized Developer
Aug 1, 2010
24,674
50,967
@M66B: Hi, unfortunately this did not solve my problem. So I returned to version 2.260 for now. But thanks for looking into it!
I like to see the debug info (Edit: by tapping 7 times on the title of 'About') with the latest version, captured right after enabling/disabling flight mode and the internet connection being restored.
 
Last edited:

iopdop

Member
Dec 24, 2015
9
2
In Android 10 with filtering enabled, some apps (FDroid, NewPipe) consider the connection type as mobile data when connected via WiFi. React Native's `NetInfo` module reports the correct connection type, but returns `isConnectionExpensive = true`. If filtering is disabled, FDroid/NewPipe considers it WiFi and `isConnectionExpensive = false`. Android 9 does not exhibit this behavior. Any ideas?
 

M66B

Recognized Developer
Aug 1, 2010
24,674
50,967
In Android 10 with filtering enabled, some apps (FDroid, NewPipe) consider the connection type as mobile data when connected via WiFi. React Native's `NetInfo` module reports the correct connection type, but returns `isConnectionExpensive = true`. If filtering is disabled, FDroid/NewPipe considers it WiFi and `isConnectionExpensive = false`. Android 9 does not exhibit this behavior. Any ideas?
This might be a bug in Android or maybe in the apps.

NetGuard properly sets the underlying networks on Android 6 and later as the active network, so there is little more Netguard can do.
 

rolko

Member
Aug 22, 2017
14
1
I like to see the debug info (Edit: by tapping 7 times on the title of 'About') with the latest version, captured right after enabling/disabling flight mode and the internet connection being restored.

OK, I created two logs. The first one has been created by version 2.260 without the problem (as reference). The second one was made with Netguard 2.263 that seems to be blocking LAN access of apps while they are disallowed to access the internet. Thanks for further investigating this! ;)
 

Attachments

  • logcat_2.260.txt
    52.8 KB · Views: 14
  • logcat_2.263.txt
    51.9 KB · Views: 20

Ines*

Senior Member
Jan 19, 2019
135
98
There seems to be a problem with the exclusion of overlapping IP ranges, i.e. 192.168.*.* for allowing LAN and the ranges for tethering.
As can be seen in the 2.263 log from @rolko, Netguard starts to exclude 192.168.*.* (LAN), so that the next INclude must start with 192.169.0.0.
Due to wrong subsequent processing of the tethering ranges, NG tries to include 192.169.0.0...192.168.41.255 (empty) etc. and finally it wrongly includes 192.168.45.0...192.168.48.255 and 192.168.50.0...223.255.255.255.

Allowing LAN access only (which also allows tethering in 2.261+) should work properly.
 

M66B

Recognized Developer
Aug 1, 2010
24,674
50,967
There seems to be a problem with the exclusion of overlapping IP ranges, i.e. 192.168.*.* for allowing LAN and the ranges for tethering.
As can be seen in the 2.263 log from @rolko, Netguard starts to exclude 192.168.*.* (LAN), so that the next INclude must start with 192.169.0.0.
Due to wrong subsequent processing of the tethering ranges, NG tries to include 192.169.0.0...192.168.41.255 (empty) etc. and finally it wrongly includes 192.168.45.0...192.168.48.255 and 192.168.50.0...223.255.255.255.

Allowing LAN access only (which also allows tethering in 2.261+) should work properly.
How do you propose to fix this?
 

adein

New member
Sep 9, 2019
1
0
Detroit
In Android 10 with filtering enabled, some apps (FDroid, NewPipe) consider the connection type as mobile data when connected via WiFi. React Native's `NetInfo` module reports the correct connection type, but returns `isConnectionExpensive = true`. If filtering is disabled, FDroid/NewPipe considers it WiFi and `isConnectionExpensive = false`. Android 9 does not exhibit this behavior. Any ideas?

This might be a bug in Android or maybe in the apps.

NetGuard properly sets the underlying networks on Android 6 and later as the active network, so there is little more Netguard can do.

I have this same problem. F-Droid, Google Photos, SyncThing, etc. all believe the phone is not connected to WiFi when NetGuard/filtering is enabled.

I tested the same apps using another VPN app and the issue went away with that VPN. Based on that, it seems like it's specific to either NetGuard and/or Android 10?
 

Crogonint

New member
Sep 21, 2016
1
0
I have just released beta version 2.265

It's a bit disturbing to go to the update page and see you mention that the app will be updated on the Play Store, but no mention of F-Droid. Could you kindly add a few words that it will be updated on F-Droid as soon as they get to it? (Assuming that it will?)

I don't intend to use the Play Store ever again. For the moment, I'm using Aurora Store to download when it's unavoidable, but I would just as soon not use them at all.

Just occurred to me.. Since this is a beta, should the app be detecting it as an update for the stable version??

Thank you for filling a gaping hole with this amazing app!
 

M66B

Recognized Developer
Aug 1, 2010
24,674
50,967
It's a bit disturbing to go to the update page and see you mention that the app will be updated on the Play Store, but no mention of F-Droid. Could you kindly add a few words that it will be updated on F-Droid as soon as they get to it? (Assuming that it will?)

I don't intend to use the Play Store ever again. For the moment, I'm using Aurora Store to download when it's unavoidable, but I would just as soon not use them at all.

Just occurred to me.. Since this is a beta, should the app be detecting it as an update for the stable version??

Thank you for filling a gaping hole with this amazing app!
I have no control over if and when F-Droid updates NetGuard, which is problematic when there is a critical bug fix. Therefore you are advised to use the GitHub version instead.
 

Licaon_Kter

Senior Member
Jun 9, 2015
1,756
534
It's a bit disturbing to go to the update page and see you mention that the app will be updated on the Play Store, but no mention of F-Droid. Could you kindly add a few words that it will be updated on F-Droid as soon as they get to it? (Assuming that it will?)
It gets updated rather reliably these days on F-Droid, also it had less frequent releases to begin with, nothing critical that you could have missed if delayed.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 5
    Version 2.298 is available on GitHub now and in the Play store test program after Google's approval.

    Changelog/download:
    https://github.com/M66B/NetGuard/releases
    3
    A couple of bugs I've always noticed with the log internet access feature and I figure I might as well mention them.

    [...]

    The second issue is that the log internet access feature does not always put the DNS lookups under the correct applications. I can't explain that well nor find a pattern but when you've used NetGuard for years you notice with which domains apps connect and sometimes a straggler from another app end up showing as communicating to the a domain not associated with it. Maybe apps which use WebView would cause this oddity? I dunno
    Sorry for late reply, here is my view on your second issue.
    As a no-root app, NetGuard cannot know which DNS request was done by which app because Android resolves DNS requests on behalf of all apps.
    But NetGuard sees the DNS requests/responses (unless encrypted) and keeps domain name and IP address pairs in its cache.
    When an app connects to an IP address, the only thing NetGuard knows for sure is app <-> IP address. If there is a unique domain name for this IP address in the cache, the logged domain name is usually correct.
    But in the not so rare case of multiple possible domain names for one IP address, NetGuard just picks one (not knowing which one belongs to which app).

    In the access attempts list, an entry with a not unique domain name shows a trailing '?<number>'. If you tap on such an entry and then tap on the first (now active) menu item, NetGuard will show a list of <number> domain names: it retrieves all IP addresses (one or more) from the cache for the logged domain name and lists all possible domain names (from cache) for this/these IP address/es.

    Note that the '?' and the pop-up list generation use the current cache contents. At the time an entry was logged, the cache contents may have been very different. A now unique looking domain name (without '?') may have been not unique and vice versa. And relations domain name <-> IP address may also have been different.

    If you use the GitHub version, you can inspect the cache under Settings > Advanced options > Show resolved domain names.
    3
    Hi Ines,

    Thanks a lot for your explanations.

    Could you please detailed :

    "But in the not so rare case of multiple possible domain names for one IP address, NetGuard just picks one (not knowing which one belongs to which app)."
    What are the consequences ?
    In these cases you obviously may not know which domain an app really accesses. I wanted to block a lot of google-this and google-that (globally) with a hosts file and therefore I needed correct domain names ...

    Also, blocking access for App B may depend on App A:
    let A and B be 2 apps with internet access allowed. App A accesses domain a with IP 1, and app B accesses domain b with IP 1. NetGuard may log for both apps domain a. You block the logged domain a for both apps.
    When App A (B) makes a DNS request for a (b), NetGuard sees a/1 (b/1) and for apps which have the logged "domain a (b)" blocked, it blocks access to IP 1. This means, access to logged domain a by B, really domain b (= IP 1), is blocked only after app A makes a DNS request for a. But as long as a/1 remains in the cache and is not expired, a and b (i.e. IP 1) are properly blocked for A and B.

    Now, if the IP address for domain a changes, you may get a (temporary) data leak I think.
    Assume that the IP address for domain a changes to 3 and A makes a DNS request for a. Cache contains now a/1, b/1, a/3. NetGuard will block for apps with blocked "domain a" the access to IP 1 and IP 3.
    Sooner or later a/1 will expire and will be removed from the cache, blocking of IP 1 will stop. App B (hopefully) will make another DNS request for b and connect, and NetGuard will log an entry b (now unique for IP 1) in the access attempt list of B.
    Which you must block now. Blocking of logged domain a (now IP 3) for B no longer blocks B's access to domain b (still IP 1).
    The same happens if app A "disappears" and no longer makes DNS requests for domain a. Domain b will be added to B's list and must be blocked. Unless you say, oh, it is "b", do not block ...

    In reality, such problems are not very likely I think. I hope ...

    Don't worry. Just keep using NetGuard. It's the best there is.
    1
    There will be a reload now when "notify_access" (global notify on/off) is changed and when "notify" of a rule (app) was changed there was already a reload.

    What am I missing? What should be changed?
    Let's assume app logging is off and notification access is off, everything works as expected: mapNofify is empty but logging is off -> no access notifications (okay).
    Now, access notifications remain off and app logging is switched on. No reload is done on 'enable app logging' so mapNotify remains empty. This wrongly produces access notifications since mapNotify is still empty but logging is now on.
    And only a following reload for another reason will resolve this.
    1
    This should be more than sufficient I think.
    A filled mapNotify is needed whenever app logging is on. So the minimum is:
    reload when notify_access is changed (log_app is necessarily true then) OR when log_app is turned on.

    If log_app is turned off, the content of mapNotify does not matter, so no reload necessary. But who cares ...
  • 345
    ic_launcher.png


    NetGuard provides simple and advanced ways to block access to the internet - no root required.
    Applications and addresses can individually be allowed or denied access to your Wi-Fi and/or mobile connection.

    Blocking access to the internet can help:
    • reduce your data usage
    • save your battery
    • increase your privacy

    Features:
    • Simple to use
    • No root required
    • 100% open source
    • No calling home
    • No tracking or analytics
    • No advertisements
    • Actively developed and supported
    • Android 5.1 and later supported
    • IPv4/IPv6 TCP/UDP supported
    • Tethering supported
    • Optionally allow when screen on
    • Optionally block when roaming
    • Optionally block system applications
    • Optionally forward ports, also to external addresses (not available if installed from the Play store)
    • Optionally notify when an application accesses the internet
    • Optionally record network usage per application per address
    • Optionally block ads using a hosts file (not available if installed from the Play store)
    • Material design theme with light and dark theme

    PRO features
    • Log all outgoing traffic; search and filter access attempts; export PCAP files to analyze traffic
    • Allow/block individual addresses per application
    • New application notifications; configure NetGuard directly from the notification
    • Display network speed graph in a status bar notification
    • Select from five additional themes in both light and dark version

    There is no other no-root firewall, except for clones, offering all these features.

    This XDA thread is about using the latest version of NetGuard.
    Off topic comments are allowed as long they are related to NetGuard and are in the general interest of the followers of this thread.

    Discussion of purchases is not allowed here, please contact me via here instead.

    NetGuard is being maintained and supported, but new features won't be added anymore.

    For ad blocking, see here. Ad blocking is provide "as-is".

    More information on Github:

    Downloads:

    Screenshots:
    101-main.png
    102-main-details.png

    103-main-access.png
    108-notifications.png


    For more screenshots, see here.






    XDA:DevDB Information
    NetGuard, App for all devices (see above for details)

    Contributors
    M66B
    Source Code: https://github.com/M66B/NetGuard/


    Version Information
    Status: Stable

    Created 2015-10-25
    Last Updated 2020-03-11
    25
    25
    I have just released stable version 2.39.

    Changelog/download
    https://github.com/M66B/NetGuard/releases/tag/2.39

    This version will be available in the Play store after Google's approval.

    Usage data sharing has been removed from this version.

    The future of this project depends on the general support for this project. You can for example write something positive here or in the Play store, press the thanks button, donate something, purchase a pro feature or contribute translations or source code.
    17
    I have just released beta version 2.268

    Changelog/download:
    https://github.com/M66B/NetGuard/releases

    This version adds a setting for a domain name to use to validate the internet connection. The default is www.google.com. You could for example change this into www.opendns.com.
    17
    I have just released beta version 2.21.

    Changelog/download:
    https://github.com/M66B/NetGuard/releases/tag/2.21

    This version will be available as beta version in the Play store after Google's approval.