Show popular System Components by default

[ignoramous]

These are part of some 7 hardcoded names in pcapdroid (ref). Rethink uses names for some 100+ such components (not just 7) as defined in AOSP (ref). These are shown only when any of these components try to establish a connection.

ex: GPS, MDNSR, DNS, ANDROID

Originally posted by @ignoramous in https://github.com/celzero/rethink-app/issues/1163#issuecomment-1861120103

[anpic]

And why not make it possible to add simply by all UID numbers?

[anpic]

Although, of course, if there is also a text name then it will be even more convenient. This is an obvious thing.

[anpic]

But something else is still extremely unclear. Here you have added these uids. But this is of no use if Rethink doesn't track the connections created on their behalf.

[ignoramous]

Rethink doesn't track the connections created on their behalf.

Rethink does.

And why not make it possible to add simply by all UID numbers?

Wasteful since those UIDs never connect. We'll see if we can add them in a separate UI that doesn't meddle with user-installed apps. Showing 100+ UIDs which aren't "apps" would cause confusions.

But something else is still extremely unclear.

What's really unclear is, you going off about binaries and yet you aren't sharing any screen grabs from pcapdroid blocking those.

[anpic]

Rethink does.

Your readings change every day ;) I will also ask here: can you finally explain how exactly you technically filter any uids? How is this done in PCAPdroid docs. You provided links to the source of PCAPdroid, but stubbornly not on your source code ;)

Wasteful

I have a feeling that either no one understands what a firewall is, or no one wants to develop firewalls not for stupid users. Even AFWall, which is barely supported, has profiles. This allows to transfer settings between devices and pre-install the necessary block and white app lists. And change the lists by events or for other reasons through intents or automators.

Showing 100+ UIDs which aren't "apps" would cause confusions.

So make additional settings to enable features that are understandable and necessary for professionals. But so far, I have a feeling that you, significantly more than Emanuele, are counting on attractiveness for stupid users. And in addition, you are also trying to confuse users with non-obvious settings and missing documentation. But as I understand it, your favorite company and role model is Google. And then your approaches are clear :)

What's really unclear is, you going off about binaries and yet you aren't sharing any screen grabs from pcapdroid blocking those.

I would have shown it and I am still ready, but you are clearly showing me by your actions: we are the masters here, you will spend your time discussing it, and we will do whatever we want with this discussion ;) I want to hear at least some specifics from you first. If you are the kind of specialists you pretend to be. And moreover, so far it looks like you are not even trying to conduct full-fledged testing of your so-called firewall. And then there will be no less specifics from me, do not doubt ;)

[ignoramous]

will also ask here: can you finally explain how exactly you technically filter any uids?

How this is done is present in the rethink-app's readme since 2020.

I have a feeling that either no one understands what a firewall is

Sure.

And in addition, you are also trying to confuse users with non-obvious settings and missing documentation.

Okay.

I would have shown it and I am still ready

I'm ready. Go ahead.

[anpic]

How this is done is present in the rethink-app's readme since 2020.

If that's what you mean https://github.com/celzero/rethink-app/blob/main/README.md#firewall It's just a set of phrases and not a professional explanation. Here is an example of a professional explanation with technical details https://emanuele-f.github.io/PCAPdroid/quick_start#14-packet-analysis This allows to immediately understand how the firewall works. You have everything hidden behind common sets of phrases. And considering how you conduct these discussions, I'm sure that this was done on purpose.

I'm ready. Go ahead.

So you're not telling me any technical details and you want me to spend my time putting together my technical details? So far, I see that you are ready to hide behind meaningless words, hide discussions and so on ;) So far, I see that you don't want to create a full-fledged firewall but only want to attract the masses of stupid users. And why is this a separate question. Otherwise, it's impossible to explain why people who want to create a full-fledged firewall hide the technical details of their own opensource development so much. Here Emanuele doesn't hide and makes detailed documentation. I wonder to what heights his firewall would rise if he were given your human and monetary resources ;)

[ignoramous]

I wonder to what heights his firewall would rise if he were given your human and monetary resources ;)

Since last month, it costs $16k per month to run Rethink. That's $182k per year.

This allows to immediately understand how the firewall works.

No docs until we hit v1. It isn't priority.

It's just a set of phrases and not a professional explanation

The code and pointers in the readme are sufficient for anyone to examine further.

So you're not telling me any technical details and you want me to spend my time putting together my technical details?

Nah, I'm asking for a screen grab showing that binaries are blocked by pcapdroid, so there's an incentive to do a deep dive.

[anpic]

Since last month, it costs $16k per month to run Rethink. That's $182k per year.

Nothing, you find funds for hosting in Google, and you will find the rest. After all, fat projects always have sponsors, don't they?

so there's an incentive to do a deep dive

Well, let's look at this further deep dive ;) These are connections from /system/bin/ping under root and without. The result is the same :) It's funny that your highest qualifications and a few minutes of time for tests were not found for this ;) But why test, compare, and write documentation if you need to spend time on attractive headlines, websites, and PR :(

[anpic]

And yes, it doesn't matter to me what is written there is Unknown and not some uid: the main thing is the desired result of blocking. If you can show Rethink result better and more clearly then it will be more interesting ;)

[ignoramous]

After all, fat projects always have sponsors, don't they?

Sure. It is only $180k a year, after all. Very easy to find sponsors.

These are connections from /system/bin/ping under root and without. The result is the same :

No. That screenshot isn't showing you connections from /system/bin/ping "binary". It is merely pointing out that ICMP echo requests (also called ping) were sent by an Unknown app. Rethink supports ICMPv4 and should show similar log as pcapdroid does. ICMPv6 in Rethink doesn't yet work for reasons we don't fully know yet.

[anpic]

Very easy to find sponsors.

You have access to a lot of information on user devices and you will find someone to sell it to ;)

No. That screenshot isn't showing you connections from /system/bin/ping "binary". It is merely pointing out that ICMP echo requests (also called ping) were sent by an Unknown app

I wrote about this a little bit above. In advance. I don't care which uid is shown or not shown. The blocking result is important to me. Rethink doesn't have it at all.

Rethink supports ICMPv4 and should show similar log as pcapdroid does

Can I have a description of your tests with examples of your settings and the same screenshot? My tests have shown that Rethink allows a lot of connections into the network. While PCAPdroid on the same device doesn't miss anything. It's not difficult to show us your comparison.

ICMPv6 in Rethink doesn't yet work for reasons we don't fully know yet.

Pull this part out of PCAPdroid, too, that's all ;) Then it's funny that you're doing the same local MITM attack, but at the same time accusing Emanuele of not respecting the principles of Android. You are inferior to PCAPdroid in many components. But that's not the problem. After all, you have your own interesting settings. The problem is how you behave in this case. You avoid substantive discussions and answer any technical questions with general phrases. You don't need a working firewall with maximum protection, you need users. This is very revealing and makes think about your real goals.

[ignoramous]

You have access to a lot of information on user devices and you will find someone to sell it to ;)

If this project could make $180k per year from selling user data, every idiot, including those who know nothing about anything, would have cloned it by now.

don't care which uid is shown or not shown. The blocking result is important to me. Rethink doesn't have it at all.

It isn't that you don't care, you don't even know what you're talking about. You claimed pcapdroid blocked "binaries", and have nothing to show for it.

Besides, Rethink does show ICMPv4 echo (ping) requests.

As for blocking ICMP, it really doesnt make sense, because these are control messages, not data messages. Sometimes, these messages are important to the way underlying protocols like UDP and TCP work. Though, I understand why some might want to block deliberate pings from installed apps. Tracked here: https://github.com/celzero/rethink-app/issues/1170

Can I have a description of your tests with examples of your settings and the same screenshot?

• Run Rethink.
• Install termux, open it.
• Execute ping 1.1.1.1.
• Check Network Log UI in Rethink, and you should see ICMP requests logged there.

Pull this part out of PCAPdroid, too, that's all ;)

pcapdroid isn't similar to Rethink in terms of implementation, at all.

Then it's funny that you're doing the same local MITM attack

At this point, I'm not sure what half of you write even means.

but at the same time accusing Emanuele of not respecting the principles of Android.

I didn't accuse anyone of anything. All I said, if anyone claims their userspace app can block ALL traffic on Android, then they don't understand Android or are ignorant of its internals. I linked to sources in my previous comment, and I'm sure you read them all, and understood it all.

You are inferior to PCAPdroid in many components.

Rethink isn't similar to pcapdroid, at all. Not implementation wise and not functionality wise, even if there are overlaps.

It's not difficult to show us your comparison

As for authoring a comparision, I invite you or anyone to do so. And publish your results. Thanks in advance.

[anpic]

would have cloned it by now.

With all the infrastructure for $180k? And with fixes for all your binary backdoors on your own? ;) You see, I didn't mean to offend you in any way initially, but the way you ignore any details about your implementation makes you think about the worst. Because it's like your entire source code is open, and you have nothing to hide. And you are not even able to explain the general concept of your connection filtering. In all issues, you respond with banal phrases at the schoolboy level ;)

you don't even know what you're talking about.

:)

You claimed pcapdroid blocked "binaries", and have nothing to show for it.

Connections from binaries ;) You really wanted a screenshot, and when it appeared, it turned out again that it didn't mean anything :)

Check Network Log UI in Rethink, and you should see ICMP requests logged there

And why do you need termux? Everything should work through adb without third shell terminals as well. But my tests showed leaks with default Rethink settings.

pcapdroid isn't similar to Rethink in terms of implementation, at all

Considering how carefully you evade specific discussions of the details of your implementation, there are justified doubts about all your words. If you are the developer of this implementation, at all ;)

Rethink isn't similar to pcapdroid, at all. Not implementation wise and not functionality wise, even if there are overlaps.

And at the same time, is your implementation done with all due respect to Android API?

As for authoring a comparision, I invite you or anyone to do so. And publish your results. Thanks in advance.

Do I understand correctly that you are not testing your own product at all? And others should do it for you? ;)

[ignoramous]

And you are not even able to explain the general concept of your connection filtering

As pointed out before, it is explained in the readmes of firestack and rethink-app.

You really wanted a screenshot, and when it appeared, it turned out again that it didn't mean anything

Yes, those pings are ICMP echo control messages coming from "Unknown" apps, not the ping binary.

But my tests showed leaks with default Rethink settings.

Steps to reproduce these leaks, please? I'll see if these are fixable. If you can't, that's okay too.

[anpic]

As pointed out before, it is explained in the readmes of firestack and rethink-app.

Well, yes, it's all written there. With a link to another resource, it sends to another one. Those are still on the other. How convenient. But nowhere is it described in detail exactly how your implementation works. Specifically for Android. But for some reason, when you take the code from Marcel's NetGuard, you don't give the same detailed manuals as him. Anyway, you are still conducting a local MITM attack on connections by redirecting them from local VpnService to local Tun2Socks server.

Yes, those _ping_s are ICMP echo control messages coming from "Unknown" apps, not the ping binary.

But PCAPdroid blocks these packets in Whitelist mode by default but Rethink doesn't. PCAPdroid does the same connection tracking via /proc/net/* That's why your attempts to blame Emanuele for doing something wrong are funny. Moreover, PCAPdroid shows not only the connections themselves but also their payloads. But I agree that your variant is more scalable with the possibility of proxying other VPN connections. It's strange that you don't have the support of Shadowsocks with the support of Tun2Socks. After all, the core from go-shadowsocks2 is used inside tun2socks.

Steps to reproduce these leaks, please?

1) enable Rethink and Rethink as Always-on VPN 2) /system/bin/ping 8.8.8.8 under root and without 3) there are indeed ICMP connections in the logs but how do I enable the whitelist mode to block all traffic by default?

[ignoramous]

But for some reason, when you take the code from Marcel's NetGuard, you don't give the same detailed manuals as him.

We don't.

Anyway, you are still conducting a local MITM attack on connections by redirecting them from local VpnService to local Tun2Socks server.

That's not what "MiTM attack" means.

It's strange that you don't have the support of Shadowsocks with the support of Tun2Socks. After all, the core from go-shadowsocks2 is used inside tun2socks.

tun2socks and shadowsocks aren't the same thing. The impl for shadowsocks is tracked here: #37

but how do I enable the whitelist mode to block all traffic by default?

As mentioned elsewhere, blocking such user-initiated ICMP requests is tracked here: #1170

That's why your attempts to blame Emanuele for doing something wrong are funny.

My point was, if anyone claims a userspace app can block ALL traffic on Android, then they're ignorant of how Android works. Nothing to do with /proc/net/* or whatever.

Moreover, PCAPdroid shows not only the connections themselves but also their payloads.

As before, Rethink does not aim for feature parity with pcapdroid.

[anpic]

That's not what "MiTM attack" means.

Okay, so PCAPdroid can't do anything like that either :)

My point was, if anyone claims a userspace app can block ALL traffic on Android, then they're ignorant of how Android works

Yes, this is a difficult question. And the question of what can freely pass through Android VpnService is also open. And therefore, the issue of PCAPdroid firewall operation in the root mode is being additionally worked out. But you're ignoring a simpler question again. How do I turn on the whitelist mode quickly in Rethink? I turn on this mode in PCAPdroid and get no traffic, and with verification through external monitoring. You have a lot of settings but the user cannot simply configure the firewall in whitelist mode.

As before, Rethink does not aim for feature parity with pcapdroid.

And don't. But so far it seems that you are not going to make a full-fledged firewall, although you are focusing media attention on this particular feature. At the same time, PCAPdroid which focuses on completely different features shows excellent results in this component as well.

[anpic]

How do I turn on the whitelist mode quickly in Rethink?

You only had to tell me about two settings: Block when source app is unknown Block all except bypassed apps and IPs And almost everything starts to block properly. Sometimes it feels like you have nothing to do with Rethink ;)