Closed hxe closed 10 years ago
Hello,
Yep, there was a nasty bug in 0.16, that's why I pushed 0.17 few hours after 0.16.
Just small questions regarding your Android:
For what I can see in your rules, the "witness" chain is missing, making the pop-up appear. But this pop-up should not appear if your android doesn't support init-script, thus there's probably a mix-up with this part.
Cheers,
C.
Ho, and, also: android 4.3.x doesn't have the super-update making all DNS queries go through some caching-proxy… THAT explains why you don't have network anymore.
~> I'll push a new release shortly in order to re-add the dns redirect.
well my problem relates to 0.16+, so 0.17 and 0.18 included right now. and how would i check if my android supports init-script? im guessing it does? because /system/etc/init.d contains: 00banner 50selinuxrelable 90userinit 91firewall
and i guess i should also update cyanogenmod soon for that 4.4 android
i've updated to android 4.4.2. should i update orwall to 0.18 now? or wait for the next update
Would be interesting to give a try to 0.18. It should provide connectivity.
Would be also interesting seeing why orWall cannot push its init-script. What android "flavour" are you using?
https://img.bi/#/LrJnFRt!S74VWHuHqaeYr3dXH7dSejJiYX9xgCNa3vzahny5
and i just updated orwall. should i open orwall first (it will probably give that notice), or should i reboot first and then open orwall?
Heya!
you should start the app in order to ensure it migrates the configuration to sqlite. It should also install the init-script… hopefully.
Once it's done, you may reboot.
still the same problem. had to downgrade to 0.15 again
Weird… any chance you have something else playing with iptables? Some chains in your output don't seem to be "stock chains"…
Having here CM 4.4.4 on nexus4 works like a charm. As well as on a nexus7 with SlimKat. And on an HP Slate 7, rooted stock 4.1.1…
nothing else should be doing it. ive tried it with both orbot set to use its own iptables, and with orbot using the in built iptables. afwall isnt installed. idk. what changed after 0.15? why does it work fine until that update? i will do some more tests and paste iptables output how it currently is, how it is with latest orwall, and how it is without orwall at all.
Before 0.16, there were some generic rules allowing allo apps to connect to localhost on orbot ports (socks, transproxy and dns). There were also per-apps rules for DNS, until I find out there were, on my systems, something else making ALL dns queries from UID 0 instead of the app.
0.16 was broken, don't try it. Basically, it removed the generic rules in order to provide a more secured way to filter apps, ensuring only the one you select can go through transProxy. You may be interested in the following commits: ae43a83d4d520937eff6a799b85fec1005c642a5 0c8cfd4b3a5e49b6d90e2db3e45304c8f4ce94ae
0.17 was a correction for 0.16, still with the same rules (modulo 1-2 corrections). It might have been called 0.16.1 in fact ;).
0.18 moved NAT preferences to sqlite in order to provide a better support for coming features
0.19 WILL (not yet released) add back DNS rules based on App UID, which were removed in 0.16 due to the UID 0 stuff. The current 0.19 candidate works on my android 4.1.1. I still have to test it on a more recent version (4.4.4).
Current status on my different devices: 0.18 works on all my devices (4.1.1, 4.4.4 CM and 4.4.4 SlimKat) 0.19 tested on 4.1.1 successfully, still needs tests on 4.4.4
I'll also try:
@hxe I realize it's a pain, but what about diffing the log outputs of iptables between 0.15 and 0.16, then installing 0.15 and using adb shell
to manually add each iptables change until things start working? Then work backwards to find out why that specific thing changed
"should" work with 0ac57f0137784549d9ccdec5b125bb609ae46225 — will be integrated in next release. Probably Sunday, I have some tests to do with the code refactoring I made.
release is out. @hxe mind to test it with your setup?
installed 0.19. still having pretty much the same problems. orwall acts very weird. going to get the iptables output of my device without orwall, with 0.15, and with 0.19 and compare
ok heres what i did:
uninstalled init script and orwall, iptables -F, rebooted iptables of device without orwall: http://0bin.net/paste/3E-QOTwKvwR9LtY5#TzZpZ273QtEHxTB9yu+bYJgn4fxN3bbqxI4Sfm6LOOQ
then installed orwall 0.15, ticked browser,firefox,twidere, rebooted iptables of device with orwall 0.15: http://0bin.net/paste/Hkn0mcrvIpodFyuC#x6rchircKwSLzB1E7FSCLOvOwP8vtzvqjz+ZIVl5NOi (this version works good, selected apps go through tor)
then i uninstalled init script and orwall0.15, iptables -F, rebooted then installed orwall 0.19, ticked browser,firefox,twidere,rebooted iptables of device with orwall 0.19 (after rebooting, before opening orwall again): http://0bin.net/paste/897gcXhOuIbKIuDf#H6k6B7ycpb1wFkmPR1eIQNjmKyVZtJdCBJZVjXaBU3G (this version seems to work a bit better than 0.16-0.18. most apps seem to go through tor [usually]. firefox is the only exception, it wont work at all. i didnt open the app yet because it would ask to apply the boot rules again. wanted to see the difference in iptables after doing that)
then opened the app, it asked to apply the rules, i applied them iptables of device with orwall 0.19 (after rebooting, after opening orwall again): http://0bin.net/paste/ReE9WeuwzC6dZgM2#NHDyfVT7DFPZz1ywP1BqZmJyPc91WIxB7nx03xJphqO (after applying the rules which orwall asks to apply every single time the app is opened, nothing at all works anymore)
so problems with 0.19 are mostly the same as the previous ones? sometimes it all seems to work except for firefox which doesnt work at all. orwall still asks for the boot rules each time it is opened. applying these rules causes everything to stop working. also enabling tethering seems to cause everything on the device to also go through clearnet (intended?), and then when disabling tethering, everything stops working, a reboot is required. going to keep tethering as another issue but yeah 0.19 still doesnt fix my issues, have to stick with 0.15.
Heya!
On 09/01/2014 10:31 AM, hxe wrote:
ok heres what i did: uninstalled init script and orwall, iptables -F, rebooted iptables of device without orwall: http://0bin.net/paste/3E-QOTwKvwR9LtY5#TzZpZ273QtEHxTB9yu+bYJgn4fxN3bbqxI4Sfm6LOOQ
OK, so a clean iptables output with a lot of chains, like the one I get on my side.
then installed orwall 0.15, ticked browser,firefox,twidere, rebooted iptables of device with orwall 0.15: http://0bin.net/paste/Hkn0mcrvIpodFyuC#x6rchircKwSLzB1E7FSCLOvOwP8vtzvqjz+ZIVl5NOi (this version works good, selected apps go through tor)
OK, rules are "per-app", and there's still the general allowing access to various localhost proxy entries (SOCKS, DNS and polipo). We can see them in the filter OUTPUT chain.
Also, this version doesn't enforce the INPUT policy to DROP, like the next releases. This can be a hint. OUTPUT chain doesn't have a policy though it get a -j REJECT placed after orwall rules.
then i uninstalled init script and orwall0.15, iptables -F, rebooted then installed orwall 0.19, ticked browser,firefox,twidere,rebooted iptables of device with orwall 0.19 (after rebooting, before opening orwall again): http://0bin.net/paste/897gcXhOuIbKIuDf#H6k6B7ycpb1wFkmPR1eIQNjmKyVZtJdCBJZVjXaBU3G (this version seems to work a bit better than 0.16-0.18. most apps seem to go through tor [usually]. firefox is the only exception, it wont work at all. i didnt open the app yet because it would ask to apply the boot rules again. wanted to see the difference in iptables after doing that)
Policies are enforced to DROP for both INPUT and OUTPUT. This means the -j REJECT isn't needed anymore in the OUTPUT filter chain. Also, this version removes generic rules for local port accesses, meaning only selected apps may access them.
Still, there's no sight of the "witness" chain created at boot time. This explains why you get the pop-up in orwall. Just a small question: can you check the path for "sh" executable in your Android? The 91firewall shebang tells the script should use /system/bin/sh, maybe it's somewhere else on your system (though my CM has it in the same place, it seems to be a default path).
then opened the app, it asked to apply the rules, i applied them iptables of device with orwall 0.19 (after rebooting, after opening orwall again): http://0bin.net/paste/ReE9WeuwzC6dZgM2#NHDyfVT7DFPZz1ywP1BqZmJyPc91WIxB7nx03xJphqO (after applying the rules which orwall asks to apply every single time the app is opened, nothing at all works anymore)
Hmm… yep, this is due to the "iptables -F OUTPUT" and others like that done in the boot process… I'll make a note in order to modify this popup action.
so problems with 0.19 are mostly the same as the previous ones? mostly seems to work except for firefox which doesnt work at all.
In order to get some more information, it would be interesting to push the following rules in your iptables, once you have booted the device with 0.19 (without applying the script, as it breaks the rules): iptables -A INPUT -m owner --uid-owner 10084 -j LOG --log-uid --log-prefix "INPUT DROP: "
iptables -A OUTPUT -m owner --uid-owner 10084 -j LOG --log-uid --log-prefix "OUTPUT DROP: "
iptables -t nat -A OUTPUT -m owner --uid-owner 10084 -j LOG --log-uid --log-prefix "NAT OUT DROP: "
This will give you a trace in dmesg command regarding iptables DROP applied to firefox queries. Would be good to have a look at it. And yes, it's in the TODO to provide a way to push those rules via orwall interface ;). Have to ensure "LOG" target is known and supported.
orwall still asks for the boot rules each time it is opened. applying these rules causes everything to stop working. also enabling tethering seems to cause everything on the device to also go through clearnet (intended?),
err… nope, tethering should go through Orbot as well… weird, it was OK last time I checked that, have to check it again with the new rules I guess…
and then when disabling tethering, everything stops working,
not intended as well — rules should just be removed. Will dig into that (I'll create an issue about that).
a reboot is required. going to keep tethering as another issue but yeah 0.19 still doesnt fix my issues, have to stick with 0.15.
my android terminal is being weird and wont execute command such as 'find' or 'which'. but /system/bin/sh does exist. not sure if any other 'sh' exists as i cant search.
ive pushed those extra rules and tried using firefox. do i check the logs with the 'dmesg' command? its kind of hard to read on the android screen + the log is filled with a lot of seemingly unrelated stuff. but i cant seem to find anything related to the drops
i just got the idea that maybe 'secdroid' was messing with my phone causing the problems with anything happening at boot, but i remembered, and it says on the forum too, that no changes last on reboots, i have to open and apply secdroid whenever i boot (and i havent been applying it when testing orwall). so the problem shouldnt be secdroid. i checked my app list, there really isnt anything else which can be messing with the system
http://shadowdcatconsulting.com/blog/2013/1/11/securing-android.html http://forum.xda-developers.com/showthread.php?t=2086276
orwall doesnt even rely on any of the things secdroid disables does it
Heya!
regarding dmesg, you may want to run it through adb, like this for example:
adb shell
su
dmesg | grep PUT
This will filter dmesg outputs.
Would be also great if you could modify the init-script 91firewall in order to, for example, do this: touch /data/foo
If you reboot right after the modification, it should create a file named "foo" in /data/, a read-write location on the device.
This would tell whether the init-script was effectively run or not.
Remark concerning secdroid: seems it plays with sysctl, especially with the ipv4 redirect thing. Can you ensure its rules aren't applied at all? You may get the complete sysctl output like that:
su
sysctl -a > /sdcard/sysctl.txt
You may do it through ADB as well, of course ;). Then, if you grep the different rules present in the secdroid post, you may want to check it's the following values:
net.ipv4.conf.all.accept_redirects = 1
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.all.send_redirects = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.log_martians = 0
net.ipv4.ip_forward = 0
At least the latter is set to 1 when you enable tethering, of course.
I'm pretty sure the "redirect" is used, as there's a call to that feature with iptables in the nat table…
I'm pretty sure a "stock CM ROM" won't get all of these problems: that's what I'm running on my nexus4, and, 0.16 aside, all orwall releases do what I want. Same for slimkat.
this is what i get from dmesg
`<4>[ 3263.702270] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=69 TOS=0x00 PREC=0x00 TTL=64 ID=34224 DF PROTO=UDP SPT=16388 DPT=5400 LEN=49 UID=10084 GID=10084
<4>[ 3694.820404] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11800 DF PROTO=UDP SPT=29535 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.820434] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11800 DF PROTO=UDP SPT=29535 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.820526] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11800 DF PROTO=UDP SPT=27749 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.820526] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11800 DF PROTO=UDP SPT=27749 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.820648] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11800 DF PROTO=UDP SPT=28143 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.820648] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11800 DF PROTO=UDP SPT=28143 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.820770] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11800 DF PROTO=UDP SPT=28049 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.820770] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11800 DF PROTO=UDP SPT=28049 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.820892] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11800 DF PROTO=UDP SPT=27931 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.820892] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11800 DF PROTO=UDP SPT=27931 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.821014] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11800 DF PROTO=UDP SPT=28317 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.821014] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11800 DF PROTO=UDP SPT=28317 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.821105] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11800 DF PROTO=UDP SPT=28167 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.821136] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11800 DF PROTO=UDP SPT=28167 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.821228] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11800 DF PROTO=UDP SPT=28587 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.821228] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11800 DF PROTO=UDP SPT=28587 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.851043] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11803 DF PROTO=UDP SPT=60269 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.851043] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11803 DF PROTO=UDP SPT=60269 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.851135] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11803 DF PROTO=UDP SPT=58581 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.851165] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11803 DF PROTO=UDP SPT=58581 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.851226] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11803 DF PROTO=UDP SPT=58490 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.851257] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11803 DF PROTO=UDP SPT=58490 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.851348] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11803 DF PROTO=UDP SPT=58398 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.851348] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11803 DF PROTO=UDP SPT=58398 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.851501] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11803 DF PROTO=UDP SPT=58760 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.851501] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11803 DF PROTO=UDP SPT=58760 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.853820] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11803 DF PROTO=UDP SPT=59091 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.853851] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11803 DF PROTO=UDP SPT=59091 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.854034] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11804 DF PROTO=UDP SPT=61347 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.854064] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11804 DF PROTO=UDP SPT=61347 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.854186] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11804 DF PROTO=UDP SPT=39148 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3694.854217] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11804 DF PROTO=UDP SPT=39148 DPT=5400 LEN=43 UID=10084 GID=10084 <4>[ 3695.342163] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11852 DF PROTO=UDP SPT=26909 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.342193] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11852 DF PROTO=UDP SPT=26909 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.342346] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11852 DF PROTO=UDP SPT=27180 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.342346] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11852 DF PROTO=UDP SPT=27180 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.342468] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11852 DF PROTO=UDP SPT=27571 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.342498] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11852 DF PROTO=UDP SPT=27571 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.342620] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11852 DF PROTO=UDP SPT=27414 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.342651] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11852 DF PROTO=UDP SPT=27414 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.342773] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11852 DF PROTO=UDP SPT=25726 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.342803] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11852 DF PROTO=UDP SPT=25726 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.343383] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11852 DF PROTO=UDP SPT=26053 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.343414] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11852 DF PROTO=UDP SPT=26053 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.343536] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11852 DF PROTO=UDP SPT=26471 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.343566] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11852 DF PROTO=UDP SPT=26471 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.343719] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11852 DF PROTO=UDP SPT=28874 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.343749] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11852 DF PROTO=UDP SPT=28874 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.772735] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11895 DF PROTO=UDP SPT=55702 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.772766] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11895 DF PROTO=UDP SPT=55702 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.772918] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11895 DF PROTO=UDP SPT=55962 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.772918] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11895 DF PROTO=UDP SPT=55962 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.773071] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11895 DF PROTO=UDP SPT=56295 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.773071] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11895 DF PROTO=UDP SPT=56295 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.773223] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11895 DF PROTO=UDP SPT=56143 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.773223] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11895 DF PROTO=UDP SPT=56143 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.773376] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11895 DF PROTO=UDP SPT=54450 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.773406] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11895 DF PROTO=UDP SPT=54450 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.773529] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11895 DF PROTO=UDP SPT=54303 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.773559] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11895 DF PROTO=UDP SPT=54303 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.773712] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11895 DF PROTO=UDP SPT=54661 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.773742] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11895 DF PROTO=UDP SPT=54661 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.773864] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11896 DF PROTO=UDP SPT=54959 DPT=5400 LEN=46 UID=10084 GID=10084 <4>[ 3695.773895] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=11896 DF PROTO=UDP SPT=54959 DPT=5400 LEN=46 UID=10084 GID=10084` i also added a line to the initscript, it looks like this now: ``` #!/system/bin/sh IP6TABLES=/system/bin/ip6tables IPTABLES=/system/bin/iptables $IPTABLES -P OUTPUT DROP $IPTABLES -I OUTPUT -j REJECT $IPTABLES -I OUTPUT -o lo -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT $IPTABLES -P INPUT DROP $IPTABLES -I INPUT -j REJECT $IPTABLES -I INPUT -i lo -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT $IPTABLES -P FORWARD ACCEPT $IPTABLES -N witness $IPTABLES -A witness -j RETURN ## Block all traffic at boot ## $IP6TABLES -t nat -F $IP6TABLES -F $IP6TABLES -A INPUT -j LOG --log-prefix "Denied bootup IPv6 input: " $IP6TABLES -A INPUT -j DROP $IP6TABLES -A OUTPUT -j LOG --log-prefix "Denied bootup IPv6 output: " $IP6TABLES -A OUTPUT -j DROP touch /data/foo ``` i will restart and see what happens im also unable to run the sysctl command right now sh: sysctl: can't execute: Permission denied i cant remember if i ran secdroid this boot, ill see if it works after rebooting<4>[ 3694.820404] OUTPUT DROP: IN= OUT=wlan0 SRC=192.168.1.13 DST=127.0.0.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=11800 DF PROTO=UDP SPT=29535 DPT=5400 LEN=43 UID=10084 GID=10084
OK, so firefox get drops. For UDP, when trying to get access to the DNSProxy port. Meaning I made an error in the OUTPUT rule I guess, will check it once again.
i also added a line to the initscript, it looks like this now:
Seems good
i will restart and see what happens
im also unable to run the sysctl command right now sh: sysctl: can't execute: Permission denied
probably to be launched as root, sorry I didn't precise it.
i cant remember if i ran secdroid this boot, ill see if it works after rebooting
The sysctl rules are good culprits. I should maybe add some checks regarding that in orwall.
I'll list the "potentially conflicting apps" in order to provide a better/faster support.
so i rebooted, my initscript still has my change, but theres no /data/foo. so i guess the initscript isnt running?
and yeah im in a root shell, sysctl wont run. and a lot of other things wont either such as 'which' 'find' 'stat'. im used to a different linux system, so i dont know where to find the bins on android. where can i find the sysctl binary so i can check/change it's permissions? secdroid should not be doing anything on it's own as the developer has said they haven't got there yet. but maybe the first time i used it, some of the changes happened to be permanent?
so i rebooted, my initscript still has my change, but theres no /data/foo. so i guess the initscript isnt running?
weird, but… yes :/. No "witness" chain nor /data/foo file means the init-script isn't run at all. Would be good to compare the shebang (line starting with #!) of the other scripts… there's maybe a thing in there.
and yeah im in a root shell, sysctl wont run. and a lot of other things wont either such as 'which' 'find' 'stat'. im used to a different linux system, so i dont know where to find the bins on android. where can i find the sysctl binary so i can check/change it's permissions? secdroid should not be doing anything on it's own as the developer has said they haven't got there yet. but maybe the first time i used it, some of the changes happened to be permanent?
On my CM: /system/xbin/sysctl
Weird you can't use "which"… maybe busybox which
may help? Found
out some ROM doesn't have a proper path nor requested links, like the
one I have on my Slate 7 (android 4.1.1). Though CM should provide a
good support…
Heya,
any news regarding the init-script? Also, did the new 0.19 correct the problem on your side?
sorry haven't been active lately. i'll look into it now
root@jfltexx:/ # ls -al /system/xbin/sysctl ls -al /system/xbin/sysctl lrwxrwxrwx root root 2014-08-26 20:13 sysctl -> busybox
126|root@jfltexx:/ # busybox which busybox which /system/bin/sh: busybox: can't execute: Permission denied
hmm most bins in /system/xbin/ are linked to busybox? and ---------- root shell 493040 2008-08-01 22:00 busybox
busybox has no permissions lol can i fix that
10|root@jfltexx:/ # chmod 0744 /system/xbin/busybox chmod 0744 /system/xbin/busybox Unable to chmod /system/xbin/busybox: Read-only file system
(i dont even have busybox installed though lol) does that mean i need to get the one from the play store? im installing busybox now..
ok commands work now
net.ipv4.conf.all.accept_redirects = 1 net.ipv4.conf.all.secure_redirects = 1 net.ipv4.conf.all.send_redirects = 1 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.conf.all.log_martians = 0 net.ipv4.ip_forward = 0
it matches what u said. so the problem isnt sysctl? or secdroid. what is it
i guess ill try orwall 0.20
weird thing is: why isn't the init-script working at all on your device. Maybe now that you get a working busybox with working executables, you'll be able to get something better after reboot… Just a thought: doesn't any of your appsec fiddle with some executables permissions?
Also, in order to get the busybox working without installing anything:
su
mount -o remount,rw /system
chmod 0750 /system/xbin/busybox
mount -o remount,ro /system
Lemme know if it works better with a working busybox and 0.20 (after a reboot)
oic. and yeah maybe with busybox now working, the initscript will work. ill install 0.20 and reboot
it didnt complain about the rules this time. so i guess the initscript works. but my apps cant seem to connect to anything.. should i maybe flush iptables rules or something and then restart? and then just do the iptables debugging etc again
ok i flushed iptables, restarted, opened orwall, it crashed before opening, opened it again successfully. tried apps, they didnt work. unticked firefox and then reticked, it started working. did the same with twidere. so im just reticking all my apps right now and that will fix it hopefully
ok, so init is OK. now, regarding iptables: it's flushed on boot, when orwall starts, in order to ensure there is no parasite. For what I can see on my side, it's working without any weird trick. If you're upgrading from 0.16 (or 0.15), your settings should be migrated to sqlite, as I added support for that lately in order to provide more possibilities (it's on the way)…
Just try to reboot once you ticked again the app, I think the problem isn't that "easy".
yeah i just rebooted again. it seems on every reboot, i get a notice saying that orwall has stopped working. then after that, the usual notices from superuser, of orwall using sudo. and then apps dont work on boot. i have to go in to orwall and untick then tick all of the apps i want again, for them to start working. once i do that it works fine. even tethering seems to be working fine, even though u said in the other thread that it doesnt. though i havent turned off tethering yet or done any other tests yet
so seems maybe most of the old issues were to do with me not having busybox. the only real issue now is: orwall crashing on boot for some reason? which causes me to have to retick each app in the list on each boot. then it works fine
hmm… pretty sure orwall doesn't apply its startup rules if it crashes on boot… Can you display the iptables rules right after the boot? Recall:
iptables -vnL -t filter
iptables -vnL -t nat
so the migration to sqlite is meant to explain maybe having to re-tick the apps? but im having to do that on each boot. orwall still crashes on every boot, confirmed. this is iptables after booting:
root@jfltexx:/ # iptables -vnL
iptables -vnL
Chain INPUT (policy DROP 3 packets, 442 bytes)
pkts bytes target prot opt in out source destination
1361 210K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 10064 ctstate NEW,RELATED,ESTABLISHED /* Allow Orbot inputs */
42 3188 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED /* Allow related,established inputs */
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 oem_fwd all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 fw_FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 bw_FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 natctrl_FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 231 packets, 14269 bytes)
pkts bytes target prot opt in out source destination
0 0 accounting_OUT tcp -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 10064 tcp dpt:9030 /* Forward Directory traffic to accounting */
1372 186K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 10064 ctstate NEW,RELATED,ESTABLISHED /* Allow Orbot outputs */
31 2034 ACCEPT udp -- * * 0.0.0.0/0 127.0.0.1 owner UID match 0 ctstate NEW,RELATED,ESTABLISHED udp dpt:5400 /* Allow DNS queries */
Chain accounting_IN (0 references)
pkts bytes target prot opt in out source destination
0 0 bw_INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain accounting_OUT (1 references)
pkts bytes target prot opt in out source destination
0 0 bw_OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain bw_FORWARD (1 references)
pkts bytes target prot opt in out source destination
Chain bw_INPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 ! quota globalAlert: 2097152 bytes
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 owner socket exists
Chain bw_OUTPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 ! quota globalAlert: 2097152 bytes
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 owner socket exists
Chain bw_costly_shared (0 references)
pkts bytes target prot opt in out source destination
0 0 bw_penalty_box all -- * * 0.0.0.0/0 0.0.0.0/0
Chain bw_happy_box (0 references)
pkts bytes target prot opt in out source destination
Chain bw_penalty_box (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 10077 reject-with icmp-port-unreachable
Chain fw_FORWARD (1 references)
pkts bytes target prot opt in out source destination
Chain fw_INPUT (0 references)
pkts bytes target prot opt in out source destination
Chain fw_OUTPUT (0 references)
pkts bytes target prot opt in out source destination
Chain natctrl_FORWARD (1 references)
pkts bytes target prot opt in out source destination
Chain natctrl_tether_counters (0 references)
pkts bytes target prot opt in out source destination
Chain oem_fwd (1 references)
pkts bytes target prot opt in out source destination
Chain oem_out (0 references)
pkts bytes target prot opt in out source destination
Chain st_filter_OUTPUT (0 references)
pkts bytes target prot opt in out source destination
Chain witness (0 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
root@jfltexx:/ # iptables -vnL -t nat
iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 5 packets, 1026 bytes)
pkts bytes target prot opt in out source destination
5 1026 oem_nat_pre all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 176 packets, 10560 bytes)
pkts bytes target prot opt in out source destination
14 840 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 10064 /* Orbot bypasses itself. */
24 1574 REDIRECT udp -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 0 udp dpt:53 /* Allow DNS queries */ redir ports 5400
Chain POSTROUTING (policy ACCEPT 38 packets, 2414 bytes)
pkts bytes target prot opt in out source destination
41 2594 natctrl_nat_POSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
41 2594 st_nat_POSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
Chain natctrl_nat_POSTROUTING (1 references)
pkts bytes target prot opt in out source destination
Chain oem_nat_pre (1 references)
pkts bytes target prot opt in out source destination
Chain st_nat_POSTROUTING (1 references)
pkts bytes target prot opt in out source destination
how will we know if its an orwall issue, or whether my new busybox install is causing orwall to crash? busybox seems to have fixed the initscript right? and also let me run a lot more binaries than before.
or it could be related to my tethering settings? ill just disable all tethering related options and check first
ok every time i toggle "Enable LAN connections" in orwall now, it causes the app to stop working, but the setting seems to stick. i unticked all special network options i had ticked in orwall. will reboot now
yep! that was the problem. having "Enable LAN connections" ticked in orwall, was causing it to crash on boot, requiring me to re-tick each app manually. having it unticked and booting makes everything work fine! that option is now broken though
hmmm, should close this issue then? i guess 0.20 works for me. just have to look into the other things like tethering and lan connections etc. ill open an issue for the lan connections option crash. do people usually have busybox working on their phones? what if other people experience the problems i did because they dont have busybox? should orwall need to check that or something? i really dont know why there was a 'busybox' file in /xbin/ and a lot of apps linked to that. but i didnt have the actual busybox installed?
I'll see what I can do regarding working busybox. A simple test in order to ensure exec exists and is executable should be enough.
https://github.com/EthACKdotOrg/orWall/issues/24#issuecomment-53198088 so i've been using 0.15 since like i said, 0.16 and 0.17 would keep complaining about the bootup rules, and whether or not i choose 'dismiss' or 'apply bootup rules', nothing would work. the popup keeps coming even after reboots. i updated to 0.18 this morning, and same problem. it also seems to try doing a lot of things the first time i open it on each boot, because i get tons of superuser popups for orwall, even if i choose to dismiss the bootup rules popup, so i think it still tries something.
Samsung Galaxy S4 (GT-I9505) Android 4.3 (CyanogenMod 10.2) orWall 0.18-beta
iptables -vnL
iptables -vnL -t nat
(how do i use spoiler boxes)