search

celzero / rethink-app

DNS over HTTPS / DNS over Tor / DNSCrypt client, WireGuard proxifier, firewall, and connection tracker for Android.
https://rethinkfirewall.com/
Apache License 2.0
2.6k stars 130 forks source link

Optionally block inbound traffic when firewall / proxy is on #1509

Open freebrowser1 opened 3 weeks ago

freebrowser1 commented 3 weeks ago

I tested using a wireguard client in Rethink and the firewall enabled which works awesome ! But I can still port scan my device within the same wifi network. The ports are still using nmap -v -Pn IP (i.e. can not ssh into my cellphone) but they are still visible. Is it possible to fully block incoming traffic with an option ?

ignoramous commented 3 weeks ago

From prior experiments, Android did not let VPN apps control ingress. My guess is, you'd need root to do so.

I'll take another look though.

freebrowser1 commented 3 weeks ago

From prior experiments, Android did not let VPN apps control ingress. My guess is, you'd need root to do so.

I'll take another look though.

Well, some commercial VPN apps (I have PIA VPN) do have incoming traffic blocking. And, no, they don't need root.

ignoramous commented 3 weeks ago

Well, some commercial VPN apps (I have PIA VPN) do have incoming traffic blocking

I looked in PIA's Android codebases (1, 2) but I don't spot any special handling to block ingress.

What is the setting called? Can you share a screenshot of it? I installed the app, but it won't go past the first screen without registeration.

freebrowser1 commented 2 weeks ago

Here: Settings => Networks => Allow LAN traffic => OFF I tested it and could not access my cell phone anymore over LAN/Wifi as long as this (LAN) was disabled and PIA VPN was on.

Screenshot 2024-06-06 at 13 34 39

Screenshot 2024-06-06 at 13 34 29

ignoramous commented 2 weeks ago

Allow LAN traffic

Turning it ON, does the same thing as Rethink does with Do not route Private IPs turned ON.

I've looked for hours, and it isn't clear how PIA blocks incoming LAN traffic, if at all.

freebrowser1 commented 2 weeks ago

Indeed, when using a VPN local inbound traffic is 'filtered'. I did the test with Rethink, PIA VPN and the OpenVPN app on my cellphone, all three with the same results, they all do block incoming traffic.

armemac.local:~/scratch % ping nothingphone.local
PING nothingphone.local (192.168.0.9): 56 data bytes
64 bytes from 192.168.0.9: icmp_seq=0 ttl=64 time=32.871 ms
64 bytes from 192.168.0.9: icmp_seq=1 ttl=64 time=55.708 ms
64 bytes from 192.168.0.9: icmp_seq=2 ttl=64 time=73.471 ms
^C
--- nothingphone.local ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss

Ping works normally, but


Completed Connect Scan at 18:16, 2.09s elapsed (1000 total ports)
Nmap scan report for nothingphone.local (192.168.0.9)
Host is up (0.0050s latency).
Other addresses for nothingphone.local (not scanned): fe80::b668:13d1:3203:b70a
Not shown: 996 closed tcp ports (conn-refused)
PORT     STATE    SERVICE
5555/tcp open     freeciv
8022/tcp filtered oa-system
8080/tcp filtered http-proxy
8443/tcp filtered https-alt

Read data files from: /Users/klaas/homebrew/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 2.13 seconds
armemac.local:~/scratch % ssh -p 8022 192.168.0.9

All open ports to LAN are filtered now and cannot be approached: http(s) and ssh access to the phone is blocked and does not proceed as if it did not exist. The ssh command did therefore not respond at all, which it does without VPN. When turning off the VPN, inbound access via ssh or http(s) (or any other if applicable) resumes to be opened. I also saw that adb (port 5555) remains open, but that is only when USB debugging and wifi adb is enabled.

So all three VPNs work correctly with VPN on (e.g. in a public wifi), apart from the ability to ping to the device.

Lanius-collaris commented 2 weeks ago

@freebrowser1 How do you know that a VPN app was blocking incoming traffic? Blocking outgoing traffic can also prevent a program from completing handshake. Could you try adb shell ip route get 192.168.0.1?

freebrowser1 commented 2 weeks ago

@freebrowser1 How do you know that a VPN app was blocking incoming traffic? Blocking outgoing traffic can also prevent a program from completing handshake. Could you try adb shell ip route get 192.168.0.1?

I tried this with the correct IP addresses when PIA was enabled. I tried from computer to phone and other way around. Both worked, just like ping or nmap. But making an SSH connection or http connection into my cellphone did not work as long as the VPN is enabled (my cellphone has a web server and ssh server in it). When I disconnect the VPN these connections work again. Conclusion: the real connect is indeed blocked.