skullone / android_firewall Goto Github PK

on cm9 the root user is used to do the dns lookup, therefore 53/udp shouldn't be allowed for every user.

I used this ftp server https://play.google.com/store/apps/details?id=lutey.FTPServer on my HTC One. Transfer binary data was failed when firewall is on :(

My list of allowed apps always changes after I install a new ROM and restore my apps from backup.

It seems as if the config is written down with respect to some internal IDs, which are no longer the same after a new ROM + app restore. Thus I get the same number of rules, but the rules often point to a different set of apps.

I realize that most users do not install ROMs often, but for those of us that do, I wonder if something can be done please? Thank you for your time and for this very useful app.

This is being worked on.

It will be good to have the rules concerning concrete wi-fi networks and vpns and some mechanism to make logic.
For example i have a trusted network A and trusted vpn B.
And i want to make some apps (in particular that ones that don't use encryption) not to have internet access unless (we are connected to A OR we use VPN B)

This will not be added to AF directly. The reason for this is Tasker supports that functionality already. With the Tasker plugin you can easily have Tasker set a specific profile when the device connects to a specific SSID. So when you connect to your Mobile Hotspot the profile with the specific rules you want to use will automatically be applied.

The app "Don't grill me!" isn't appearing in the list. Maybe because of the quote or exclamation mark?

Link:
https://play.google.com/store/apps/details?id=com.jb.dont.grill.me

I configured my device to connect to adb over wifi using this method:
forum.xda-developers.com/showthread.php?t=1685736
The firewall blocks, even when enabling kernel and root apps.

The application works when WCDMA (3G) network mode is selected but doesn't block the connections when GSM (2G) mode is selected.

Hello Skullone,

I am wondering if you could please add the option to select "Foreground Only" for an app in Android Firewall?

Thanks a lot for your work.

LaurentZG

Here's the setup:

I use android firewall in conjunction with smart app protector to control the medium of which internet is accessed. So one can only access chrome on wireless and not on the 3/4g radio. So Android firewall controls the rules and smart app protector keeps the user from changing the rules.

It was an unfortunate discovery that one could disable the firewall through the widget :(. Could it be possible to allow/disable the use of the widget through the android firewall app. That way the widget can stay disabled and the smart app protector can keep the user from accessing the rules?

If this doesn't make sense, let me know. Thanks for an awesome app.

First, please let me compliment you on a fine product. Thanks!

Next, I had the unfortunate incident where having my VPN enabled, my WiFi connection was dropped, falling back to LTE. While roaming (at $6/MB, boo), I was downloading an audiobook while eating dinner. While the firewall technically worked (i.e. on the "VPN" connection was used to download the audiobook), I am much poorer as "VPN via WiFi" and "VPN via Data" are not able to be distinguished.

$6,000.00 later (yea..), I am wondering if it is possible to implement such a feature - i.e. to distinguish VPN over WiFi or Data.

Also - $0.99 in your donate app doesn't seem appropriate to what this can save me next month when traveling - Murphy's Law, and all that..

May I, and how might I, make a contribution towards your project, as well as this feature implementation?

The help link for the external script dialog is not available.

Hi,

Just installed your application, i got a third 'interface', Wifi, Data and Rcam... what is this Rcam interface/column ?

• Could be a good idea to propose the import of DroidWall in case it is detected...

Bye,

1st post here. So a sh*t ton of apps, but lots of extensions, built-ins, experimentals, etc. Anyway sorry of point. When scrolling either way without a filter on (all apps showing,) I get a predictable freeze when scrolling at about half-way through the list. However I get the same problem with AFWall+. (I'll be posting there as well.)

Great app though. Did buy the donate version. Thank you for your hard work and dedication. Marvelous yea/nea to internet access at all.

Hi,

Logging is not working, and I have found a couple of places in Api.java that causes this:

Please note!!!
I don't have a build environment, so I cannot build it and test it, but it should fix the issue for most people (that has LOG support anyway)

Line 300:
Removed -m limit match. My kernel supports LOG, but not limit match, and thus the whole line fails, resulting in no logging.
Perhaps it should be made optional via some "Limit logging" option? This limit match was not in the original Droidwall, but I guess you must have had a reason to implement it. :)

Line 491:
Same as line 300, but for ipv6

Line 1019:
'grep [Android Firewall]' results in "grep: Firewall]: No such file or directory" - thus no display of logging.
command should be:
'grep "[Android Firewall]"'

Need quotes because of the space. Alternatively escape the space, and leave out the quotes. The square brackets need to be excaped for grep to match them properly.
I "double escaped" the whole thing in the code. This change is made from the top of my head, and should be tested.

Line 1037:
Log does not contain [DROIDWALL] anymore. No logging will show. Fixed it to the new prefix.

Thank you for picking up the work on this great app. :-)

--- src/com/jtschohl/androidfirewall/Api.java.orig  2013-03-02 10:30:42.000000000 +0100
+++ src/com/jtschohl/androidfirewall/Api.java   2013-03-05 20:41:33.348188301 +0100
@@ -297,7 +297,7 @@
            if (logenabled) {
                script.append(""
                        + "# Create the log and reject rules (ignore errors on the LOG target just in case it is not available)\n"
-                       + "$IPTABLES -A droidwall-reject --m limit --limit 750/min -j LOG --log-prefix \"[Android Firewall] \" --log-level 4 --log-uid\n"
+                       + "$IPTABLES -A droidwall-reject -j LOG --log-prefix \"[Android Firewall] \" --log-level 4 --log-uid\n"
                        + "$IPTABLES -A droidwall-reject -j REJECT || exit 29\n"
                        + "");
            } else {
@@ -488,7 +488,7 @@
                    if (logenabled && ipv6enabled) {
                        script.append(""
                                + "# Create the log and reject rules (ignore errors on the LOG target just in case it is not available)\n"
-                               + "$IP6TABLES -A droidwall-reject --m limit --limit 750/min -j LOG --log-prefix \"[Android Firewall] \" --log-level 4 --log-uid\n"
+                               + "$IP6TABLES -A droidwall-reject -j LOG --log-prefix \"[Android Firewall] \" --log-level 4 --log-uid\n"
                                + "$IP6TABLES -A droidwall-reject -j REJECT || exit 76\n"
                                + "");
                    } else {
@@ -1016,7 +1016,7 @@
        try {
            StringBuilder res = new StringBuilder();
            int code = runScriptAsRoot(ctx, scriptHeader(ctx)
-                   + "dmesg | $GREP [Android Firewall]\n", res);
+                   + "dmesg | $GREP \"\\[Android Firewall\\]\"\n", res);
            if (code != 0) {
                if (res.length() == 0) {
                    res.append("Log is empty");
@@ -1034,7 +1034,7 @@
            final HashMap map = new HashMap();
            LogInfo loginfo = null;
            while ((line = r.readLine()) != null) {
-               if (line.indexOf("[DROIDWALL]") == -1)
+               if (line.indexOf("[Android Firewall]") == -1)
                    continue;
                appid = unknownUID;
                if (((start = line.indexOf("UID=")) != -1)

Currently investigating reports of this issue. Mobile Data limit does not break my Galaxy Nexus (toro) so further information is needed.

I know this is a bug that belongs to Android 4.2.x or 4.x. What is the problem that no app could show the log in this Android versions? For a firewall this is an essential feature!
Please fix it! I have bought your app already.

Sorry if I misunderstood the way Android Firewall is meant to work.

Expected Behavior: In addition to allowing full access per applications, also be able to allow/deny individual connections per app. For example allow access for app XYZ but deny it from being able to connect to ad server ABC.

I cannot find this functionality in Android Firewall.

when I enable the firewall rules the phone freezes then reboots. If I don't disable wireless conectection immediately after it boots-up it will freeze an reboot again.

Phone information:
Samsung Galaxy S4 - SPH-L720
rooted and unlocked
android 4.2.2
kernel 3.4 0-953334
Baseband MF9

What are the rules or advised configuration to allow OpenVpn but prevent applications that are blacklisted? Using the official OpenVpn Connect client, connecting to various predefined vpn servers.

When using current (as of 2013-05-03).

It looks like you can only see the uids of the processes running as your user (which makes sense), when you switch user space the new rule-set is not applied. Meaning programs can go online after user switch, that shouldn't.

Eventually when you switch user a couple of times and start the app, it dies under you. I can't yet see a pattern of when it happens.

I'm not sure if the rule-set apply can be fixed without making a service to see the user space "hibernate"/"resume" which it looks like when you switch user. (usb debugging with "adb shell", gets disconnected when switching user)

Whenever I enable the firewall, I get a significant increase in data usage of "Android OS". I use Android Firewall in Whiteliste mode on a Nexus 4. Tested with several versions of Cyanogenmod (10.1 to 11).
Data usage of "Android OS" increases with phone usage. Without Firewall enabled, I usually get less than 500 kb a day, with Firewall enabled it's several MB (with the same amount of phone usage, checking mail and a few news apps several times a day).

I have ipv6 enabled in settings, on an ipv6 network.

ip6tables shows the rule tables and basic flow rules are created but no per-uid rules are created.

t-mo galaxy s3, rooted factory.

j

I am using SSH to connect from my phone to my server and I would like to route all off-device network traffic through that connection. To do this, I am using SSH Persistent Tunnels (SPT) with dynamic forwarding (acts as a SOCKS proxy). I then configure the applications so that they route their traffic through this proxy.

In this situation, I would like to use Android Firewall (AF) to block all of my external ports and prevent any traffic from applications that does not flow through SSH. However, it I use AF to block access to WiFi and 3G, it also seems to block access to localhost, and so to SSH.

Is there a way short of writing and importing my own rules to turn off the restriction on traffic to localhost?

I just purchased and installed “Android Firewall Elite” and now realize it is far more complex to activate than I anticipated. In addition to notifying me that it is disabled because it does not have “root access”, I have no idea what rules to activate, or which boxes to check on the “Mode” page (i.e. should all apps be checked on white list...and what about “kernel”, “root” and “apps” vs. WiFi, Data, and VPN??? Admittedly, I have no clue which boxes to check! Far too much knowledge required for a paid app. I found it difficult to access any assistance. Could you please provide some guidance? I think it would be advisable to have the app be more intuitive for neophytes like me, or else to provide warnings that it requires more advanced knowledge to appropriately activate. I also have Hotspot Shield (VPN Security) installed, which did not require anything beyond basic knowledge to activate. Is the “no root access” related to VPN app? Thank you in advance for any guidance you can provide.

after updating to latest version in Google Play firewall isn't working anymore
using black list, but apps block with previous version can now talking to internet :-(
after reinstalling old version all working well, applications are blocked successfully

using Samsung Note II (N7100) with stock rom 4.1.2

Hello!
Please, add string for ("Do you want to delete the file " + file) message, for complete GUI translation.
Thank you for great work!

Applications rules are doubled , some apps are unable to access internet (such as youtube (partly - list of videos is loaded, videos arent loaded) ). This can be fixed by removing android firewall data and setting new list of rules from scratch.

OS: Android 4.0.4 rooted
Android Firewall: v 2.3.4

Firewall doesn't block anything, but all begins good - root permission granted, succesfully accepts config and rules changes, can turn on\off firewall.
When I tried to send bug-report it displayed error message about "ifconfig".

By the way, another firewalls for android didn't work too:
"AFWall+" displays iptables error on switching firewall ON.
"Root Firewall" displays error on applying any rule:

"Error applying iptables rules. Exit code: 2
iptables v1.4.10: can't initialize iptables table 'filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded."

It's a problem in OS Android on my device? Please, explain how can I fix it?

best regards, Kartataigoo.
(sorry for my bad english)

There is a similar project. Maybe you both can work together and create one wonderful firewall...
https://github.com/ukanth/afwall/

Weird behavior displayed when both are running (SSHtunnel in global proxy mode) either of these happen :

1. apps do not have access to the internet whatsoever
2. apps can access the internet but are not tunneled through ssh

Similarly, for individual app tunneling mode, I get this behavior for the selected apps.

If either of the apps is running alone, they work correctly. I assume this requires a similar fix to what openvpn did before, but I don't think I can figure it out myself :(

Setting VPN enabled in the firewall does not seem to change anything.

If you makes changes to the rules and then hit the back key to leave the app you get a message that changes have been made. If you click Apply it applies the rules but doesn't exit the app. If you click Discard the app backs out but doesn't close.

There is source code for these projects in external/ but it needs refreshing as they don't build as they are and the documentation is non-existent.

I know this was to have been fixed with issue 31 but I'm seeing logs that are empty on my HTC One S (tmo)
I started having this problem with droidwall after the latest update from tmo and thought it might be a dw problem given how long it's been since that app has been updated.
I learned of af today but it has the same issue.
The app appears to be working fine otherwise

DroidWall has the APK for direct download for those of us without GApps. Is the Android Firewall APK available for direct download somewhere? Thanks!

Hi there,

I'm using bluetooth-teathering to teather my Wifi or 4G connection from my mobile phone to my tablet.
On my tablet, this bypasses any firewall-rules, because a new interface is created, called "bnep0". ("bnep0" is a PAN Interface for bluetooth)

It would be nice to have an option to choose, on which interfaces the rules are applied. For example, if you block an application for VPN, it is also blocked for bnep0.

The "droidwall" chain matches the ppp+ interface for BOTH the droidwall-3g and droidwall-vpn chains. Since all rules end in a RETURN, this means that if your cellular radio shows up as ppp0 (as it does on a Samsung Epic 4g running CyanogenMod 10.1.2) and you're using a white list (the default), then any app which is permitted to use a data connection but denied the use of a VPN connection (or vice versa) will be denied access to both.

Note that it looks like this behavior probably effects other interface pairs (for example, eth+ shows up in a couple of places), but I haven't tested these.

I'm honestly not sure if there's a good way to fix this. More fine-grained interface matching might work, but this is probably going to be REALLY device-specific. Another option might be to add some logic that tries to deduce which interfaces are in use (and what connections they correspond to), but that detection will probably need to be re-run every time the network changes and may still very well require device-specific code.

At the very least, there probably needs to be some kind of warning message about these sorts of conflicts.

There needs to be application shortcuts to activate each profile and enable or disable the firewall.

This way profiles can be switched automatically with tools like llama or MacroDroid.

New app Network log revealed kernel and root connecting despite only playstore and download manager being whitelisted.
Android firewall appears to be working normal otherwise.

Screenshot: http://imgur.com/a/eNeYZ#0

This is on Galaxy Note7000
4.1.2 UltimateXXLSZ JB ROM

Id love to find out if this ROM specific or goes deeper, in any case quite concerning.

Thank you.

Hi all,
just installed AdBlock Plus to disable some ads
after set the proxy of adblock plus localhost:2020 every block app are now allowed to access the internet...it seems the android firewall is not working now.

1. without proxy of AdBlock Plus, android firewall works fine.
2. with the proxy of AdBlock Plus, every app access the internet through the proxy(i think).

eh well, i need to learn the script from droidwall

i hope you could add the situation when people use proxy :)

Hello,

my device is a Motorola Razr i with Android 4.1.2, Root and CWM-Recovery. The problem is, that some apps/synchronisations aren't blocked: Firewall is on in whitelist-mode, no apps aren't allowed for Internet. Anyway it is possible, that this synchronisations under my Google-account are funcional: "Browser", "App Data", "GooglePlay Books".

Thanks and sorry for may bad english!

Dear Berns.

I have checked only whantsap has enabled to connect in a 3g net, and i set that all the others applications to connect only through wifi, when I see the programs that was consumed data today I can see google+ and facebook
I have a limit by day and when it is close to te 40% it disconnect the 3g, after that I go to the android firewall and press the button to run the rules again... after that some times stop the 3g use some times not, but always after a wile it stop working and let the Internet run free. what you recommend me to do to help you to find which is the the problem?

Hello,

the superuser-app from Clockworkmod isn't listet in the app-list. I have a rooted razr i with android 4.1.2.

Can you say why?

Thanks!

Dear Berns

Android firewall seems to forget the settings for specific apps periodically. I believe this happens after reboot. Also this only seems to happen to specific apps avery time.
I have exported the settings and import them every time I notice an error, but this is a temporary fix. I've also seen people complaining about this issue in some forums but no solution was suggested by anyone.
I'm using a SGSII with stock JB 4.1.2.

Thanks for taking on this project. I've got custom iptable rules configured in DroidWall. If I install Android Firewall, will it preserve these custom rules, along with all the existing rules set in the DroidWall app? Also, you might consider providing a brief explanation of this in the app description on the Google Play page. It took some work for me to find where to ask this question.

I have noticed that my News and Weather Home widget retrieves information from the network on startup. I suppose this has to do more with the Android startup process. It would seem rational to wait for iptables to be up before starting any other processes.

Do you know of any way this can be achieved? It looks like a big security problem with any applications that are set to execute on startup. The workaround would be to disconnect from the network before shutting down/rebooting and make sure autoconnect is off. A general mechanism to control the startup process would be much better.

Thank you for Android Firewall, by the way.