apps cant connect to anything on orwall 0.16+

hxe commented 10 years ago

https://github.com/EthACKdotOrg/orWall/issues/24#issuecomment-53198088 so i've been using 0.15 since like i said, 0.16 and 0.17 would keep complaining about the bootup rules, and whether or not i choose 'dismiss' or 'apply bootup rules', nothing would work. the popup keeps coming even after reboots. i updated to 0.18 this morning, and same problem. it also seems to try doing a lot of things the first time i open it on each boot, because i get tons of superuser popups for orwall, even if i choose to dismiss the bootup rules popup, so i think it still tries something.

Samsung Galaxy S4 (GT-I9505) Android 4.3 (CyanogenMod 10.2) orWall 0.18-beta

iptables -vnL

iptables -vnL
Chain INPUT (policy DROP 1 packets, 617 bytes)
 pkts bytes target     prot opt in     out     source               destination
 1072 68543 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            owner UID match 10064 ctstate NEW,RELATED,ESTABLISHED /* Allow Orbot inputs */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* Allow related,established inputs */

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 oem_fwd    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 fw_FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 bw_FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 natctrl_FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy DROP 96 packets, 6048 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 accounting_OUT  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            owner UID match 10064 tcp dpt:9030 /* Forward Directory traffic to accounting */
 1074 68671 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            owner UID match 10064 ctstate NEW,RELATED,ESTABLISHED /* Allow Orbot outputs */
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            127.0.0.1            owner UID match 0 ctstate NEW,RELATED,ESTABLISHED udp dpt:5400 /* Allow DNS queries */

Chain accounting_IN (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 bw_INPUT   all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 bw_INPUT   all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain accounting_OUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 bw_OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 bw_OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain bw_FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain bw_INPUT (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0            ! quota globalAlert: 2097152 bytes
   62 14405            all  --  *      *       0.0.0.0/0            0.0.0.0/0            owner socket exists

Chain bw_OUTPUT (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0            ! quota globalAlert: 2097152 bytes
   71  6473            all  --  *      *       0.0.0.0/0            0.0.0.0/0            owner socket exists

Chain costly_shared (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 penalty_box  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fw_FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain fw_INPUT (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain fw_OUTPUT (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain natctrl_FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain oem_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain oem_out (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain penalty_box (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            owner UID match 10077 reject-with icmp-net-prohibited

iptables -vnL -t nat

iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 1 packets, 617 bytes)
 pkts bytes target     prot opt in     out     source               destination
   14  5469 oem_nat_pre  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 96 packets, 6048 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            owner UID match 10064 /* Orbot bypasses itself. */
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            owner UID match 10087
   20  1200 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            owner UID match 10064 /* Orbot bypasses itself. */
   10   703 REDIRECT   udp  --  *      *       0.0.0.0/0            0.0.0.0/0            owner UID match 0 udp dpt:53 /* Allow DNS queries */ redir ports 5400
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0           !127.0.0.1            tcpflags: 0x17/0x02 owner UID match 10054 /* Force org.adaway through TransPort */ redir ports 9040
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0           !127.0.0.1            tcpflags: 0x17/0x02 owner UID match 10055 /* Force org.mariotaku.twidere through TransPort */ redir ports 9040
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0           !127.0.0.1            tcpflags: 0x17/0x02 owner UID match 10056 /* Force net.osmand.plus through TransPort */ redir ports 9040
    2   120 REDIRECT   tcp  --  *      *       0.0.0.0/0           !127.0.0.1            tcpflags: 0x17/0x02 owner UID match 10062 /* Force com.eddypcz.dnschanger through TransPort */ redir ports 9040
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0           !127.0.0.1            tcpflags: 0x17/0x02 owner UID match 10063 /* Force net.andchat through TransPort */ redir ports 9040
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0           !127.0.0.1            tcpflags: 0x17/0x02 owner UID match 10077 /* Force org.videolan.vlc through TransPort */ redir ports 9040
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0           !127.0.0.1            tcpflags: 0x17/0x02 owner UID match 10079 /* Force info.guardianproject.otr.app.im through TransPort */ redir ports 9040
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0           !127.0.0.1            tcpflags: 0x17/0x02 owner UID match 10084 /* Force org.mozilla.firefox through TransPort */ redir ports 9040
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0           !127.0.0.1            tcpflags: 0x17/0x02 owner UID match 10086 /* Force org.fdroid.fdroid through TransPort */ redir ports 9040
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0           !127.0.0.1            tcpflags: 0x17/0x02 owner UID match 10087 /* Force com.Mata.YTplayer through TransPort */ redir ports 9040
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0           !127.0.0.1            tcpflags: 0x17/0x02 owner UID match 10088 /* Force com.danvelazco.fbwrapper through TransPort */ redir ports 9040
    4   240 REDIRECT   tcp  --  *      *       0.0.0.0/0           !127.0.0.1            tcpflags: 0x17/0x02 owner UID match 10092 /* Force jp.naver.line.android through TransPort */ redir ports 9040
    1    60 REDIRECT   tcp  --  *      *       0.0.0.0/0           !127.0.0.1            tcpflags: 0x17/0x02 owner UID match 10094 /* Force com.whatsapp through TransPort */ redir ports 9040
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0           !127.0.0.1            tcpflags: 0x17/0x02 owner UID match 10095 /* Force dentex.youtube.downloader through TransPort */ redir ports 9040
    0     0 REDIRECT   udp  --  *      *       0.0.0.0/0            0.0.0.0/0            owner UID match 0 udp dpt:53 /* Allow DNS queries */ redir ports 5400

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   53  3341 natctrl_nat_POSTROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain natctrl_nat_POSTROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain oem_nat_pre (1 references)
 pkts bytes target     prot opt in     out     source               destination

(how do i use spoiler boxes)

cjeanneret commented 10 years ago

Hello,

Yep, there was a nasty bug in 0.16, that's why I pushed 0.17 few hours after 0.16.

Just small questions regarding your Android:

does it support init-script?
if so, is there a 91firewall in /system/etc/init.d directory?

For what I can see in your rules, the "witness" chain is missing, making the pop-up appear. But this pop-up should not appear if your android doesn't support init-script, thus there's probably a mix-up with this part.

Cheers,

C.

cjeanneret commented 10 years ago

Ho, and, also: android 4.3.x doesn't have the super-update making all DNS queries go through some caching-proxy… THAT explains why you don't have network anymore.

~> I'll push a new release shortly in order to re-add the dns redirect.

hxe commented 10 years ago

well my problem relates to 0.16+, so 0.17 and 0.18 included right now. and how would i check if my android supports init-script? im guessing it does? because /system/etc/init.d contains: 00banner 50selinuxrelable 90userinit 91firewall

and i guess i should also update cyanogenmod soon for that 4.4 android

hxe commented 10 years ago

i've updated to android 4.4.2. should i update orwall to 0.18 now? or wait for the next update

cjeanneret commented 10 years ago

Would be interesting to give a try to 0.18. It should provide connectivity.

Would be also interesting seeing why orWall cannot push its init-script. What android "flavour" are you using?

hxe commented 10 years ago

https://img.bi/#/LrJnFRt!S74VWHuHqaeYr3dXH7dSejJiYX9xgCNa3vzahny5

and i just updated orwall. should i open orwall first (it will probably give that notice), or should i reboot first and then open orwall?

cjeanneret commented 10 years ago

Heya!

you should start the app in order to ensure it migrates the configuration to sqlite. It should also install the init-script… hopefully.

Once it's done, you may reboot.

hxe commented 10 years ago

still the same problem. had to downgrade to 0.15 again

cjeanneret commented 10 years ago

Weird… any chance you have something else playing with iptables? Some chains in your output don't seem to be "stock chains"…

Having here CM 4.4.4 on nexus4 works like a charm. As well as on a nexus7 with SlimKat. And on an HP Slate 7, rooted stock 4.1.1…

hxe commented 10 years ago

nothing else should be doing it. ive tried it with both orbot set to use its own iptables, and with orbot using the in built iptables. afwall isnt installed. idk. what changed after 0.15? why does it work fine until that update? i will do some more tests and paste iptables output how it currently is, how it is with latest orwall, and how it is without orwall at all.

cjeanneret commented 10 years ago

Before 0.16, there were some generic rules allowing allo apps to connect to localhost on orbot ports (socks, transproxy and dns). There were also per-apps rules for DNS, until I find out there were, on my systems, something else making ALL dns queries from UID 0 instead of the app.

0.16 was broken, don't try it. Basically, it removed the generic rules in order to provide a more secured way to filter apps, ensuring only the one you select can go through transProxy. You may be interested in the following commits: ae43a83d4d520937eff6a799b85fec1005c642a5 0c8cfd4b3a5e49b6d90e2db3e45304c8f4ce94ae

0.17 was a correction for 0.16, still with the same rules (modulo 1-2 corrections). It might have been called 0.16.1 in fact ;).

0.18 moved NAT preferences to sqlite in order to provide a better support for coming features

0.19 WILL (not yet released) add back DNS rules based on App UID, which were removed in 0.16 due to the UID 0 stuff. The current 0.19 candidate works on my android 4.1.1. I still have to test it on a more recent version (4.4.4).

Current status on my different devices: 0.18 works on all my devices (4.1.1, 4.4.4 CM and 4.4.4 SlimKat) 0.19 tested on 4.1.1 successfully, still needs tests on 4.4.4

I'll also try:

remove completely orwall and reinstall it from zero
try to create a VM with CM 4.4.2 and see what's going on

patcon commented 10 years ago

@hxe I realize it's a pain, but what about diffing the log outputs of iptables between 0.15 and 0.16, then installing 0.15 and using adb shell to manually add each iptables change until things start working? Then work backwards to find out why that specific thing changed

cjeanneret commented 10 years ago

"should" work with 0ac57f0137784549d9ccdec5b125bb609ae46225 — will be integrated in next release. Probably Sunday, I have some tests to do with the code refactoring I made.

cjeanneret commented 10 years ago

release is out. @hxe mind to test it with your setup?

hxe commented 10 years ago

installed 0.19. still having pretty much the same problems. orwall acts very weird. going to get the iptables output of my device without orwall, with 0.15, and with 0.19 and compare

hxe commented 10 years ago

ok heres what i did:

uninstalled init script and orwall, iptables -F, rebooted iptables of device without orwall: http://0bin.net/paste/3E-QOTwKvwR9LtY5#TzZpZ273QtEHxTB9yu+bYJgn4fxN3bbqxI4Sfm6LOOQ

then installed orwall 0.15, ticked browser,firefox,twidere, rebooted iptables of device with orwall 0.15: http://0bin.net/paste/Hkn0mcrvIpodFyuC#x6rchircKwSLzB1E7FSCLOvOwP8vtzvqjz+ZIVl5NOi (this version works good, selected apps go through tor)

then i uninstalled init script and orwall0.15, iptables -F, rebooted then installed orwall 0.19, ticked browser,firefox,twidere,rebooted iptables of device with orwall 0.19 (after rebooting, before opening orwall again): http://0bin.net/paste/897gcXhOuIbKIuDf#H6k6B7ycpb1wFkmPR1eIQNjmKyVZtJdCBJZVjXaBU3G (this version seems to work a bit better than 0.16-0.18. most apps seem to go through tor [usually]. firefox is the only exception, it wont work at all. i didnt open the app yet because it would ask to apply the boot rules again. wanted to see the difference in iptables after doing that)

then opened the app, it asked to apply the rules, i applied them iptables of device with orwall 0.19 (after rebooting, after opening orwall again): http://0bin.net/paste/ReE9WeuwzC6dZgM2#NHDyfVT7DFPZz1ywP1BqZmJyPc91WIxB7nx03xJphqO (after applying the rules which orwall asks to apply every single time the app is opened, nothing at all works anymore)

so problems with 0.19 are mostly the same as the previous ones? sometimes it all seems to work except for firefox which doesnt work at all. orwall still asks for the boot rules each time it is opened. applying these rules causes everything to stop working. also enabling tethering seems to cause everything on the device to also go through clearnet (intended?), and then when disabling tethering, everything stops working, a reboot is required. going to keep tethering as another issue but yeah 0.19 still doesnt fix my issues, have to stick with 0.15.

cjeanneret commented 10 years ago

Heya!

On 09/01/2014 10:31 AM, hxe wrote:

ok heres what i did: uninstalled init script and orwall, iptables -F, rebooted iptables of device without orwall: http://0bin.net/paste/3E-QOTwKvwR9LtY5#TzZpZ273QtEHxTB9yu+bYJgn4fxN3bbqxI4Sfm6LOOQ

OK, so a clean iptables output with a lot of chains, like the one I get on my side.

then installed orwall 0.15, ticked browser,firefox,twidere, rebooted iptables of device with orwall 0.15: http://0bin.net/paste/Hkn0mcrvIpodFyuC#x6rchircKwSLzB1E7FSCLOvOwP8vtzvqjz+ZIVl5NOi (this version works good, selected apps go through tor)

OK, rules are "per-app", and there's still the general allowing access to various localhost proxy entries (SOCKS, DNS and polipo). We can see them in the filter OUTPUT chain.

Also, this version doesn't enforce the INPUT policy to DROP, like the next releases. This can be a hint. OUTPUT chain doesn't have a policy though it get a -j REJECT placed after orwall rules.

then i uninstalled init script and orwall0.15, iptables -F, rebooted then installed orwall 0.19, ticked browser,firefox,twidere,rebooted iptables of device with orwall 0.19 (after rebooting, before opening orwall again): http://0bin.net/paste/897gcXhOuIbKIuDf#H6k6B7ycpb1wFkmPR1eIQNjmKyVZtJdCBJZVjXaBU3G (this version seems to work a bit better than 0.16-0.18. most apps seem to go through tor [usually]. firefox is the only exception, it wont work at all. i didnt open the app yet because it would ask to apply the boot rules again. wanted to see the difference in iptables after doing that)

Policies are enforced to DROP for both INPUT and OUTPUT. This means the -j REJECT isn't needed anymore in the OUTPUT filter chain. Also, this version removes generic rules for local port accesses, meaning only selected apps may access them.

Still, there's no sight of the "witness" chain created at boot time. This explains why you get the pop-up in orwall. Just a small question: can you check the path for "sh" executable in your Android? The 91firewall shebang tells the script should use /system/bin/sh, maybe it's somewhere else on your system (though my CM has it in the same place, it seems to be a default path).

then opened the app, it asked to apply the rules, i applied them iptables of device with orwall 0.19 (after rebooting, after opening orwall again): http://0bin.net/paste/ReE9WeuwzC6dZgM2#NHDyfVT7DFPZz1ywP1BqZmJyPc91WIxB7nx03xJphqO (after applying the rules which orwall asks to apply every single time the app is opened, nothing at all works anymore)

Hmm… yep, this is due to the "iptables -F OUTPUT" and others like that done in the boot process… I'll make a note in order to modify this popup action.

so problems with 0.19 are mostly the same as the previous ones? mostly seems to work except for firefox which doesnt work at all.

In order to get some more information, it would be interesting to push the following rules in your iptables, once you have booted the device with 0.19 (without applying the script, as it breaks the rules): iptables -A INPUT -m owner --uid-owner 10084 -j LOG --log-uid --log-prefix "INPUT DROP: "

iptables -A OUTPUT -m owner --uid-owner 10084 -j LOG --log-uid --log-prefix "OUTPUT DROP: "

iptables -t nat -A OUTPUT -m owner --uid-owner 10084 -j LOG --log-uid --log-prefix "NAT OUT DROP: "

This will give you a trace in dmesg command regarding iptables DROP applied to firefox queries. Would be good to have a look at it. And yes, it's in the TODO to provide a way to push those rules via orwall interface ;). Have to ensure "LOG" target is known and supported.

orwall still asks for the boot rules each time it is opened. applying these rules causes everything to stop working. also enabling tethering seems to cause everything on the device to also go through clearnet (intended?),

err… nope, tethering should go through Orbot as well… weird, it was OK last time I checked that, have to check it again with the new rules I guess…

and then when disabling tethering, everything stops working,

not intended as well — rules should just be removed. Will dig into that (I'll create an issue about that).

a reboot is required. going to keep tethering as another issue but yeah 0.19 still doesnt fix my issues, have to stick with 0.15.

hxe commented 10 years ago

my android terminal is being weird and wont execute command such as 'find' or 'which'. but /system/bin/sh does exist. not sure if any other 'sh' exists as i cant search.

ive pushed those extra rules and tried using firefox. do i check the logs with the 'dmesg' command? its kind of hard to read on the android screen + the log is filled with a lot of seemingly unrelated stuff. but i cant seem to find anything related to the drops

hxe commented 10 years ago

i just got the idea that maybe 'secdroid' was messing with my phone causing the problems with anything happening at boot, but i remembered, and it says on the forum too, that no changes last on reboots, i have to open and apply secdroid whenever i boot (and i havent been applying it when testing orwall). so the problem shouldnt be secdroid. i checked my app list, there really isnt anything else which can be messing with the system

http://shadowdcatconsulting.com/blog/2013/1/11/securing-android.html http://forum.xda-developers.com/showthread.php?t=2086276

orwall doesnt even rely on any of the things secdroid disables does it

cjeanneret commented 10 years ago

Heya!

regarding dmesg, you may want to run it through adb, like this for example:

adb shell
su
dmesg | grep PUT

This will filter dmesg outputs.

Would be also great if you could modify the init-script 91firewall in order to, for example, do this: touch /data/foo If you reboot right after the modification, it should create a file named "foo" in /data/, a read-write location on the device. This would tell whether the init-script was effectively run or not.

Remark concerning secdroid: seems it plays with sysctl, especially with the ipv4 redirect thing. Can you ensure its rules aren't applied at all? You may get the complete sysctl output like that:

su
sysctl -a > /sdcard/sysctl.txt

You may do it through ADB as well, of course ;). Then, if you grep the different rules present in the secdroid post, you may want to check it's the following values:

net.ipv4.conf.all.accept_redirects = 1
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.all.send_redirects = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.log_martians = 0
net.ipv4.ip_forward = 0

At least the latter is set to 1 when you enable tethering, of course.

I'm pretty sure the "redirect" is used, as there's a call to that feature with iptables in the nat table…

I'm pretty sure a "stock CM ROM" won't get all of these problems: that's what I'm running on my nexus4, and, 0.16 aside, all orwall releases do what I want. Same for slimkat.

hxe commented 10 years ago

this is what i get from dmesg

`<4>[ 3263.702270] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=69 TOS=0x00 PREC=0x00 TTL=64 ID=34224 DF PROTO=UDP SPT=16388 DPT=5400 LEN=49 UID=10084 GID=10084

<4>[ 3694.820404] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11800 DF PROTO=UDP SPT=29535 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.820434] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11800 DF PROTO=UDP SPT=29535 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.820526] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11800 DF PROTO=UDP SPT=27749 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.820526] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11800 DF PROTO=UDP SPT=27749 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.820648] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11800 DF PROTO=UDP SPT=28143 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.820648] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11800 DF PROTO=UDP SPT=28143 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.820770] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11800 DF PROTO=UDP SPT=28049 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.820770] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11800 DF PROTO=UDP SPT=28049 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.820892] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11800 DF PROTO=UDP SPT=27931 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.820892] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11800 DF PROTO=UDP SPT=27931 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.821014] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11800 DF PROTO=UDP SPT=28317 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.821014] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11800 DF PROTO=UDP SPT=28317 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.821105] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11800 DF PROTO=UDP SPT=28167 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.821136] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11800 DF PROTO=UDP SPT=28167 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.821228] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11800 DF PROTO=UDP SPT=28587 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.821228] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11800 DF PROTO=UDP SPT=28587 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.851043] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11803 DF PROTO=UDP SPT=60269 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.851043] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11803 DF PROTO=UDP SPT=60269 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.851135] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11803 DF PROTO=UDP SPT=58581 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.851165] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11803 DF PROTO=UDP SPT=58581 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.851226] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11803 DF PROTO=UDP SPT=58490 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.851257] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11803 DF PROTO=UDP SPT=58490 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.851348] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11803 DF PROTO=UDP SPT=58398 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.851348] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11803 DF PROTO=UDP SPT=58398 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.851501] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11803 DF PROTO=UDP SPT=58760 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.851501] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11803 DF PROTO=UDP SPT=58760 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.853820] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11803 DF PROTO=UDP SPT=59091 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.853851] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11803 DF PROTO=UDP SPT=59091 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.854034] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11804 DF PROTO=UDP SPT=61347 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.854064] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11804 DF PROTO=UDP SPT=61347 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.854186] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11804 DF PROTO=UDP SPT=39148 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.854217] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11804 DF PROTO=UDP SPT=39148 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3695.342163] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11852 DF PROTO=UDP SPT=26909 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.342193] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11852 DF PROTO=UDP SPT=26909 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.342346] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11852 DF PROTO=UDP SPT=27180 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.342346] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11852 DF PROTO=UDP SPT=27180 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.342468] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11852 DF PROTO=UDP SPT=27571 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.342498] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11852 DF PROTO=UDP SPT=27571 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.342620] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11852 DF PROTO=UDP SPT=27414 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.342651] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11852 DF PROTO=UDP SPT=27414 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.342773] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11852 DF PROTO=UDP SPT=25726 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.342803] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11852 DF PROTO=UDP SPT=25726 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.343383] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11852 DF PROTO=UDP SPT=26053 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.343414] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11852 DF PROTO=UDP SPT=26053 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.343536] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11852 DF PROTO=UDP SPT=26471 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.343566] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11852 DF PROTO=UDP SPT=26471 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.343719] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11852 DF PROTO=UDP SPT=28874 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.343749] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11852 DF PROTO=UDP SPT=28874 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.772735] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11895 DF PROTO=UDP SPT=55702 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.772766] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11895 DF PROTO=UDP SPT=55702 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.772918] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11895 DF PROTO=UDP SPT=55962 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.772918] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11895 DF PROTO=UDP SPT=55962 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.773071] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11895 DF PROTO=UDP SPT=56295 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.773071] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11895 DF PROTO=UDP SPT=56295 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.773223] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11895 DF PROTO=UDP SPT=56143 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.773223] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11895 DF PROTO=UDP SPT=56143 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.773376] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11895 DF PROTO=UDP SPT=54450 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.773406] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11895 DF PROTO=UDP SPT=54450 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.773529] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11895 DF PROTO=UDP SPT=54303 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.773559] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11895 DF PROTO=UDP SPT=54303 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.773712] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11895 DF PROTO=UDP SPT=54661 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.773742] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11895 DF PROTO=UDP SPT=54661 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.773864] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11896 DF PROTO=UDP SPT=54959 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.773895] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11896 DF PROTO=UDP SPT=54959 DPT=5400 LEN=46 UID=10084 GID=10084` i also added a line to the initscript, it looks like this now: ``` #!/system/bin/sh IP6TABLES=/system/bin/ip6tables IPTABLES=/system/bin/iptables $IPTABLES -P OUTPUT DROP $IPTABLES -I OUTPUT -j REJECT $IPTABLES -I OUTPUT -o lo -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT $IPTABLES -P INPUT DROP $IPTABLES -I INPUT -j REJECT $IPTABLES -I INPUT -i lo -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT $IPTABLES -P FORWARD ACCEPT $IPTABLES -N witness $IPTABLES -A witness -j RETURN ## Block all traffic at boot ## $IP6TABLES -t nat -F $IP6TABLES -F $IP6TABLES -A INPUT -j LOG --log-prefix "Denied bootup IPv6 input: " $IP6TABLES -A INPUT -j DROP $IP6TABLES -A OUTPUT -j LOG --log-prefix "Denied bootup IPv6 output: " $IP6TABLES -A OUTPUT -j DROP touch /data/foo ``` i will restart and see what happens im also unable to run the sysctl command right now sh: sysctl: can't execute: Permission denied i cant remember if i ran secdroid this boot, ill see if it works after rebooting

cjeanneret commented 10 years ago

<4>[ 3694.820404] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11800 DF PROTO=UDP SPT=29535 DPT=5400 LEN=43 UID=10084 GID=10084

OK, so firefox get drops. For UDP, when trying to get access to the DNSProxy port. Meaning I made an error in the OUTPUT rule I guess, will check it once again.

i also added a line to the initscript, it looks like this now:

Seems good

i will restart and see what happens

im also unable to run the sysctl command right now sh: sysctl: can't execute: Permission denied

probably to be launched as root, sorry I didn't precise it.

i cant remember if i ran secdroid this boot, ill see if it works after rebooting

The sysctl rules are good culprits. I should maybe add some checks regarding that in orwall.

I'll list the "potentially conflicting apps" in order to provide a better/faster support.

hxe commented 10 years ago

so i rebooted, my initscript still has my change, but theres no /data/foo. so i guess the initscript isnt running?

and yeah im in a root shell, sysctl wont run. and a lot of other things wont either such as 'which' 'find' 'stat'. im used to a different linux system, so i dont know where to find the bins on android. where can i find the sysctl binary so i can check/change it's permissions? secdroid should not be doing anything on it's own as the developer has said they haven't got there yet. but maybe the first time i used it, some of the changes happened to be permanent?

cjeanneret commented 10 years ago

so i rebooted, my initscript still has my change, but theres no /data/foo. so i guess the initscript isnt running?

weird, but… yes :/. No "witness" chain nor /data/foo file means the init-script isn't run at all. Would be good to compare the shebang (line starting with #!) of the other scripts… there's maybe a thing in there.

and yeah im in a root shell, sysctl wont run. and a lot of other things wont either such as 'which' 'find' 'stat'. im used to a different linux system, so i dont know where to find the bins on android. where can i find the sysctl binary so i can check/change it's permissions? secdroid should not be doing anything on it's own as the developer has said they haven't got there yet. but maybe the first time i used it, some of the changes happened to be permanent?

On my CM: /system/xbin/sysctl

Weird you can't use "which"… maybe busybox which may help? Found out some ROM doesn't have a proper path nor requested links, like the one I have on my Slate 7 (android 4.1.1). Though CM should provide a good support…

cjeanneret commented 10 years ago

Heya,

any news regarding the init-script? Also, did the new 0.19 correct the problem on your side?

hxe commented 10 years ago

sorry haven't been active lately. i'll look into it now

hxe commented 10 years ago

root@jfltexx:/ # ls -al /system/xbin/sysctl ls -al /system/xbin/sysctl lrwxrwxrwx root root 2014-08-26 20:13 sysctl -> busybox

126|root@jfltexx:/ # busybox which busybox which /system/bin/sh: busybox: can't execute: Permission denied

hmm most bins in /system/xbin/ are linked to busybox? and ---------- root shell 493040 2008-08-01 22:00 busybox

busybox has no permissions lol can i fix that

hxe commented 10 years ago

10|root@jfltexx:/ # chmod 0744 /system/xbin/busybox chmod 0744 /system/xbin/busybox Unable to chmod /system/xbin/busybox: Read-only file system

hxe commented 10 years ago

(i dont even have busybox installed though lol) does that mean i need to get the one from the play store? im installing busybox now..

hxe commented 10 years ago

ok commands work now

hxe commented 10 years ago

net.ipv4.conf.all.accept_redirects = 1 net.ipv4.conf.all.secure_redirects = 1 net.ipv4.conf.all.send_redirects = 1 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.conf.all.log_martians = 0 net.ipv4.ip_forward = 0

it matches what u said. so the problem isnt sysctl? or secdroid. what is it

hxe commented 10 years ago

i guess ill try orwall 0.20

cjeanneret commented 10 years ago

weird thing is: why isn't the init-script working at all on your device. Maybe now that you get a working busybox with working executables, you'll be able to get something better after reboot… Just a thought: doesn't any of your appsec fiddle with some executables permissions?

Also, in order to get the busybox working without installing anything:

su
mount -o remount,rw /system
chmod 0750 /system/xbin/busybox
mount -o remount,ro /system

Lemme know if it works better with a working busybox and 0.20 (after a reboot)

hxe commented 10 years ago

oic. and yeah maybe with busybox now working, the initscript will work. ill install 0.20 and reboot

hxe commented 10 years ago

it didnt complain about the rules this time. so i guess the initscript works. but my apps cant seem to connect to anything.. should i maybe flush iptables rules or something and then restart? and then just do the iptables debugging etc again

hxe commented 10 years ago

ok i flushed iptables, restarted, opened orwall, it crashed before opening, opened it again successfully. tried apps, they didnt work. unticked firefox and then reticked, it started working. did the same with twidere. so im just reticking all my apps right now and that will fix it hopefully

cjeanneret commented 10 years ago

ok, so init is OK. now, regarding iptables: it's flushed on boot, when orwall starts, in order to ensure there is no parasite. For what I can see on my side, it's working without any weird trick. If you're upgrading from 0.16 (or 0.15), your settings should be migrated to sqlite, as I added support for that lately in order to provide more possibilities (it's on the way)…

Just try to reboot once you ticked again the app, I think the problem isn't that "easy".

cjeanneret commented 10 years ago

(migration to sqlite: https://github.com/EthACKdotOrg/orWall/blob/master/app/src/main/java/org/ethack/orwall/MainActivity.java#L361 )

hxe commented 10 years ago

yeah i just rebooted again. it seems on every reboot, i get a notice saying that orwall has stopped working. then after that, the usual notices from superuser, of orwall using sudo. and then apps dont work on boot. i have to go in to orwall and untick then tick all of the apps i want again, for them to start working. once i do that it works fine. even tethering seems to be working fine, even though u said in the other thread that it doesnt. though i havent turned off tethering yet or done any other tests yet

hxe commented 10 years ago

so seems maybe most of the old issues were to do with me not having busybox. the only real issue now is: orwall crashing on boot for some reason? which causes me to have to retick each app in the list on each boot. then it works fine

cjeanneret commented 10 years ago

hmm… pretty sure orwall doesn't apply its startup rules if it crashes on boot… Can you display the iptables rules right after the boot? Recall:

iptables -vnL -t filter
iptables -vnL -t nat

hxe commented 10 years ago

so the migration to sqlite is meant to explain maybe having to re-tick the apps? but im having to do that on each boot. orwall still crashes on every boot, confirmed. this is iptables after booting:

root@jfltexx:/ # iptables -vnL
iptables -vnL
Chain INPUT (policy DROP 3 packets, 442 bytes)
 pkts bytes target     prot opt in     out     source               destination
 1361  210K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            owner UID match 10064 ctstate NEW,RELATED,ESTABLISHED /* Allow Orbot inputs */
   42  3188 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* Allow related,established inputs */

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 oem_fwd    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 fw_FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 bw_FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 natctrl_FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy DROP 231 packets, 14269 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 accounting_OUT  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            owner UID match 10064 tcp dpt:9030 /* Forward Directory traffic to accounting */
 1372  186K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            owner UID match 10064 ctstate NEW,RELATED,ESTABLISHED /* Allow Orbot outputs */
   31  2034 ACCEPT     udp  --  *      *       0.0.0.0/0            127.0.0.1            owner UID match 0 ctstate NEW,RELATED,ESTABLISHED udp dpt:5400 /* Allow DNS queries */

Chain accounting_IN (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 bw_INPUT   all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain accounting_OUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 bw_OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain bw_FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain bw_INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0            ! quota globalAlert: 2097152 bytes
    0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0            owner socket exists

Chain bw_OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0            ! quota globalAlert: 2097152 bytes
    0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0            owner socket exists

Chain bw_costly_shared (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 bw_penalty_box  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain bw_happy_box (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain bw_penalty_box (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            owner UID match 10077 reject-with icmp-port-unreachable

Chain fw_FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain fw_INPUT (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain fw_OUTPUT (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain natctrl_FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain natctrl_tether_counters (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain oem_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain oem_out (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain st_filter_OUTPUT (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain witness (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

root@jfltexx:/ # iptables -vnL -t nat
iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 5 packets, 1026 bytes)
 pkts bytes target     prot opt in     out     source               destination
    5  1026 oem_nat_pre  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 176 packets, 10560 bytes)
 pkts bytes target     prot opt in     out     source               destination
   14   840 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            owner UID match 10064 /* Orbot bypasses itself. */
   24  1574 REDIRECT   udp  --  *      *       0.0.0.0/0            0.0.0.0/0            owner UID match 0 udp dpt:53 /* Allow DNS queries */ redir ports 5400

Chain POSTROUTING (policy ACCEPT 38 packets, 2414 bytes)
 pkts bytes target     prot opt in     out     source               destination
   41  2594 natctrl_nat_POSTROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   41  2594 st_nat_POSTROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain natctrl_nat_POSTROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain oem_nat_pre (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain st_nat_POSTROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination

how will we know if its an orwall issue, or whether my new busybox install is causing orwall to crash? busybox seems to have fixed the initscript right? and also let me run a lot more binaries than before.

hxe commented 10 years ago

or it could be related to my tethering settings? ill just disable all tethering related options and check first

hxe commented 10 years ago

ok every time i toggle "Enable LAN connections" in orwall now, it causes the app to stop working, but the setting seems to stick. i unticked all special network options i had ticked in orwall. will reboot now

hxe commented 10 years ago

yep! that was the problem. having "Enable LAN connections" ticked in orwall, was causing it to crash on boot, requiring me to re-tick each app manually. having it unticked and booting makes everything work fine! that option is now broken though

hxe commented 10 years ago

hmmm, should close this issue then? i guess 0.20 works for me. just have to look into the other things like tethering and lan connections etc. ill open an issue for the lan connections option crash. do people usually have busybox working on their phones? what if other people experience the problems i did because they dont have busybox? should orwall need to check that or something? i really dont know why there was a 'busybox' file in /xbin/ and a lot of apps linked to that. but i didnt have the actual busybox installed?

cjeanneret commented 10 years ago

I'll see what I can do regarding working busybox. A simple test in order to ensure exec exists and is executable should be enough.

EthACKdotOrg / orWall

apps cant connect to anything on orwall 0.16+ #29