Rules not taking effect under ICS

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Set mode to blacklist
2. Select apps to block, enable firewall &apply rules
3. Run blocked apps

What is the expected output? What do you see instead?
Block not taking effect; ads still showing in them

What version of the product are you using? On what operating system?
1.5.7 on Ice Cream Sandwich

Please provide any additional information below.
droidwall chain must be INSERTED to beginning of OUTPUT chain to work, not 
ADDed to the end.

Original issue reported on code.google.com by buu...@gmail.com on 20 Dec 2011 at 12:22

[GoogleCodeExporter]

I can confirm I've issues with ads coming through on new installed (blocked) 
apps.
Also blocking the standard browser does not work, it still reaches the internet 
without issues.

I don't think this was the case on 3.0, now I've 4.0.3 (rooted official image)
I've not investigated on the rules yet but I think there might be an issue.

Original comment by nol...@gmail.com on 21 Dec 2011 at 9:31

[GoogleCodeExporter]

Interesting... I use ICS 4.0.3 on my Nexus S and it works perfectly. I will 
investigate

Original comment by rodrigo...@gmail.com on 21 Dec 2011 at 11:52

[GoogleCodeExporter]

I have also avast mobile beta which has firewall, though this is not related to 
droidwall. Droidwall and avast both dont seem to work after applying rules. Is 
this somehow related?

Original comment by ftpkal...@gmail.com on 21 Dec 2011 at 5:55

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

The problem seem to be related to "Set mobile data limit" setting. Enabling 
this option will allow internet access to all applications regardless of the 
Droid Wall settings. Disabling it will restore Droid Wall functionality. The 
issue is not related to Droid Wall, the same thing happens with Avast.

Original comment by mih...@gmail.com on 24 Dec 2011 at 9:32

[GoogleCodeExporter]

I would like to see Droidwall able to work with ICS mobile data limit. I would 
attempt this myself but I never properly learned Java programming, but I do 
know iptables rules (no pun intended).

attached is a few dumps of iptables on my Galaxy Nexus. I restricted background 
data on two apps, hence contents in penalty box. 

"neat" is with both droidwall and mobile data limit ("limit") disabled. 
"limit" is with only limit on. 
"droidwall" is with only droidwall on.
"droidwalllimit" is with both on.

The problem is with chain "costly_rmnet0" and how ICS handles it. In the main 
OUTPUT chain, rule to go there is second in position; that to droidwall is 
last. the "costly" rule has "goto" set, and with an ACCEPT rule at its end, 
means iptables stops parsing rules before reaching the droidwall chain. The 
simple way around is to insert droidwall's rule in position 1. This makes 
sense, as droidwall users will expect rules there to take precedence, having 
set them up themselves.

Original comment by buu...@gmail.com on 25 Dec 2011 at 5:21

Attachments:

• ipt.neat.txt
• ipt.limit.txt
• ipt.droidwall.txt
• ipt.droidwalllimit.txt

[GoogleCodeExporter]

Another interesting note is that ICS always insert the mobile data limit rules 
into position 2 of INPUT and OUTPUT chains. Usually the first rule is related 
to data usage warning. Looks like Google left a gap for us to put our own rules 
first. 

Original comment by buu...@gmail.com on 25 Dec 2011 at 5:32

[GoogleCodeExporter]

I had the same problem on my Nexus S with ICS but i have fixed it by this way : 
http://blog.skyplabs.net/index.php/2011/12/29/probleme-dutilisation-de-droidwall
-depuis-la-version-4-dandroid/

This article is in french (beaucause it's my native language) but i think it's 
not too hard to understand with the screenshots and the code.

Original comment by skyper...@gmail.com on 29 Dec 2011 at 12:50

[GoogleCodeExporter]

Work for me :) galaxy nexus 4.0.2

add two command to custom script

$IPTABLES -D OUTPUT -j droidwall
$IPTABLES -I OUTPUT 2 -j droidwall

Original comment by datle...@gmail.com on 27 Mar 2012 at 11:44

[GoogleCodeExporter]

thanks guys...

add two command to custom script works on Galaxy S2-ZSLPE

$IPTABLES -D OUTPUT -j droidwall
$IPTABLES -I OUTPUT 2 -j droidwall

Original comment by andrewke...@gmail.com on 28 Mar 2012 at 8:36

[GoogleCodeExporter]

DroidWall does not work for me at all with ICS (Android 4.0.3, SGS2).

Specifically, I block mobile data for the Play Store in DroidWall with and 
without the above custom script (and also LBE Privacy Guard, but this shouldn't 
interfere as it does not appear to use iptables).  Whether or not I also 
restrict mobile data via the system settings, the Play Store still loads its 
store frontend via mobile data.

Any ideas?

Original comment by mgoetze2...@gmail.com on 5 Apr 2012 at 7:58

[GoogleCodeExporter]

I am running ICS (ICSSGS ROM, Android 4.0.3, SGS GT-I9000)

The two lines of custom script worked fine for me. Sorry, to pull out the basic
troubleshooting questions, but:

1) did you double check to see if you made spelling errors in the custom script?
2) is your droidwall enabled?
3) did you accidently tick the 'any' option under 3g in droidwall?
4) Is your droidwall set to whitelist or blacklist mode? Droidwall starts in 
whitelist mode (allow selected) by default, so ticking the store would grant it 
mobile access. This is displayed at the top of the screen beneath your 
droidwall version number.

On a side note, 'restrict mobile data' only disables background data for an 
app, so the store will still load normally when you open it, since that is 
foreground data usage.

Original comment by halfd...@gmail.com on 5 Apr 2012 at 8:08

[GoogleCodeExporter]

Thanks for the quick reply.  For the record, I'm using the Lite'ning ROM 2.6 
(w/4.0.3) on a GT-i9100.

1) Yes, of course.
2) Yes, of course.
3) No.
4) Black-list, with 3G ticket selectively for apps (and system components) I 
want to block from using mobile data.

I've meanwhile read that LBE Privacy Guard has recently switched its 
implementation to using iptables as well.  However, `iptables -L` listed only 
DroidWall rules, so I figure there shouldn't be a conflict.  I'll try disabling 
LBE temporarily and see whether this makes DroidWall's rules take effect.

Original comment by mgoetze2...@gmail.com on 5 Apr 2012 at 8:21

[GoogleCodeExporter]

Addendum: I've frozen LBE Privacy Guard, taking it out of the picture.  
Background data restriction is disabled in the system settings.  DroidWall is 
configured as before (black-list mode, disable 3G for the Play Store and 
various other apps and components).  The Play Store _still_ manages to load its 
frontend (previously unloaded pages to avoid being fooled by caching).

Original comment by mgoetze2...@gmail.com on 5 Apr 2012 at 8:25

[GoogleCodeExporter]

Sorry, drawing a blank here.

If you do find a solution though, please post it here. It would be interesting 
to see what it was in the end.

Original comment by halfd...@gmail.com on 5 Apr 2012 at 8:30

[GoogleCodeExporter]

IPTABLES -D OUTPUT -j droidwall
IPTABLES -I OUTPUT 2 -j droidwall

these 2 lines solved my problem in ICS4.0.4 with Google Nexus. 
so it is the priority of droidwall's rule faults, would you update the apps to 
resolve the issue, people don't like anything relate to "script"

Original comment by huang3...@gmail.com on 13 Apr 2012 at 5:55

[GoogleCodeExporter]

Didn't work on 4.0.3 by adding these lines in custom script:
$IPTABLES -D OUTPUT -j droidwall
$IPTABLES -I OUTPUT 2 -j droidwall
Does anyone has solution?
Thanks.

Original comment by flykak...@gmail.com on 13 Apr 2012 at 10:18

[GoogleCodeExporter]

The two lines work!
BUT you have to apply the rules at every boot of the phone.
We need a new version 100% compatible with ICS.

Original comment by andry23...@gmail.com on 2 May 2012 at 1:34

[GoogleCodeExporter]

If ticked limitation of mobile data in the data set used is not blocked even if 
the registered creaking, I turned off and everything was working

Original comment by devila...@gmail.com on 4 Jun 2012 at 1:53

[GoogleCodeExporter]

The two lines work！

Before adding the two lines, DroidWall only works for Wifi rather than Data.

Original comment by lica...@gmail.com on 13 Jun 2012 at 8:55

[GoogleCodeExporter]

I noticed that by changing the app permissions & giving it full permission,the 
rules are applied after re-booting;using xplore goto /root/mnt/asec/ and check 
for the apk file if installed on SD card or 
/root/system/app/com.googlecode.droidwall.free.apk if installed as a system app

Original comment by garen1...@gmail.com on 18 Jun 2012 at 2:10

[GoogleCodeExporter]

The two lines work. Only down side is when you reboot you have to manually 
re-apply droidwall rules.
Tried giving /data/app/com.googlecode.droiwall.free.apk full right's but it 
didn't work, still have to re-apply rules.

Original comment by emerso...@gmail.com on 11 Jul 2012 at 8:46

[GoogleCodeExporter]

So let me see if I understood correctly. Those 2 lines, I paste them into the 
custom script option?

Original comment by nmgmarq...@gmail.com on 16 Jul 2012 at 7:45

[GoogleCodeExporter]

Correct.

Original comment by halfd...@gmail.com on 16 Jul 2012 at 7:47

[GoogleCodeExporter]

Thanks, I just noticed the same behaviour on CM9.

Original comment by luot...@gmail.com on 19 Jul 2012 at 8:40

[GoogleCodeExporter]

The two works for me too 

Thanks guys, you just make my day

Original comment by omarc...@gmail.com on 25 Jul 2012 at 1:51

[GoogleCodeExporter]

Under ICS the two lines work fine!
But with Jelly Bean the two lines don't work!!!!

Original comment by andry23...@gmail.com on 30 Jul 2012 at 2:52

[GoogleCodeExporter]

On a RAZR XT910 ICS 4.0.4 The two lines didn't work :(

I tried this two options:

1. Create the .log file with the two lines

$IPTABLES -D OUTPUT -j droidwall
$IPTABLES -I OUTPUT 2 -j droidwall

on this route:
/mnt/sdcard/pmw/logs/dw3.log

And add the route into the Custom Script Option on Droidwall like this:
. /mnt/sdcard/pmw/logs/dw3.log

2. Just copy/paste the two lines into the Custom Script Option on Droidwall.

No ones works. Any idea? 

Original comment by erkm...@gmail.com on 31 Jul 2012 at 6:42

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Samsung GALAXY Note 4.0.4 ICS with stock rom + speedmod kernel + rooted
By adding those two lines, it work after apply the new rules.

using DroidWall version 1.5.7
Both Wifi and 3G Data work

I just need to re-apply the firewall rules after each reboot.

Thank you!

Original comment by jackfun...@gmail.com on 8 Aug 2012 at 3:43

[GoogleCodeExporter]

I added the two lines and it doesn't work. I'm using 4.0.4.
Many people report that it works but I see the same behavior as before the 
lines where added. For the moment I'll have to disable data monitoring. It'll 
be great if droidwall could report data consumption so we don't have to rely on 
android. I don't know what's easier, make droidwall report data consumption or 
make it compatible with android's "firewall"

Original comment by fcastill...@gmail.com on 8 Aug 2012 at 6:11

[GoogleCodeExporter]

On a RAZR XT910 ICS 4.0.4 with following one line DroidWall works (i.e. block 
internet via 3G):
iptables -A droidwall -j droidwall-3g -o qmi+
It is important that all letters (exept "-A") will be low case.

Original comment by aak.rus@gmail.com on 15 Aug 2012 at 6:57

[GoogleCodeExporter]

for me the two lines do not work (2G/3G is not blocked, wifi works):
SGS2, CM9
but after disableling mobile data limitation, it works for 2G/3G as well!

next I will try it wihout the "two lines", but just without mobile data limit...
Andreas

Original comment by aend...@gmail.com on 11 Sep 2012 at 10:29

[GoogleCodeExporter]

YES, I GOT THE PROBLEM NOW!
- droidwall is working well as long as data limitation is off.
- if droidwall is on, the two lines above (moving droidwall to position 2) 
solves the problem!
- but when mobile data is disconnected, the limiting firewall OUTPUT rule 
(costly_rmnet0) is removed... and when reconnecting (e.g. after WLAN is 
disabled) the costly_rmnet0 rule is reinserted to position 2, and droidwall is 
moved to position 3, and thus fails to filter 2G/3G data!
- reapplying the two lines above would help again, but this is not save enough!

WORKAROUNDS:
1) switching off data limitation and inserting a script rule doing the same 
feature (copy the existing rule)
2) moving the today rule at position nr. 1 of the OUTPUT chain to the top of 
the droidwall chain and inserting the droidwall rule instead... then the data 
limit rule can be inserted/removed at position 2 and both should work

next, I will test 2), I let you know about the result :-)
Andreas

Original comment by aend...@gmail.com on 12 Sep 2012 at 5:15

[GoogleCodeExporter]

@ Andreas / everyone
I don’t understand the steps of n° 1. Can you tell me step-by-step what 
I’ve to do?

Original comment by andry23...@gmail.com on 5 Nov 2012 at 10:02

[GoogleCodeExporter]

Since Jelly Bean (4.1.2 in my case), the $IPTABLES shell variable provides by 
Droidwall doesn't seem to be valid. Consequently, I've updated my script :

http://blog.skyplabs.net/index.php/2011/12/29/probleme-dutilisation-de-droidwall
-depuis-la-version-4-dandroid/

It works perfectly for me, again.

Original comment by skyper...@gmail.com on 16 Nov 2012 at 12:50

[GoogleCodeExporter]

iptables -A droidwall -j droidwall-3g -o qmi+

RAZT XT910 ICS 4.0.4 Solved my problem. Thanks aak.rus@gmail.com

Original comment by AlmarA...@gmail.com on 11 Feb 2013 at 3:37

[GoogleCodeExporter]

There is a properly maintained fork of Droidwall, which supports ICS+:
https://play.google.com/store/apps/details?id=com.jtschohl.androidfirewall&hl=en
https://github.com/skullone/android_firewall

Original comment by dmitriy.trt on 11 Feb 2013 at 8:32

[GoogleCodeExporter]

@ #39, 

I've installed "android firewall" by jtschohl, but this has the same problem.

Original comment by lolhui...@gmail.com on 19 Feb 2013 at 11:14

[GoogleCodeExporter]

OK, added

$IPTABLES -D OUTPUT -j droidwall
$IPTABLES -I OUTPUT 2 -j droidwall

to the custom script on "android firewall", now it works, WHILE data limit is 
active

Original comment by lolhui...@gmail.com on 19 Feb 2013 at 11:19