Applications can bypass firewall on startup

[malfunctioning]

I have noticed that my News and Weather Home widget retrieves information from the network on startup. I suppose this has to do more with the Android startup process. It would seem rational to wait for iptables to be up before starting any other processes.

Do you know of any way this can be achieved? It looks like a big security problem with any applications that are set to execute on startup. The workaround would be to disconnect from the network before shutting down/rebooting and make sure autoconnect is off. A general mechanism to control the startup process would be much better.

Thank you for Android Firewall, by the way.

[skullone]

To correct this you need an init.d script (and a kernel that supports init.d) that runs these iptables commands:

iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP

I have looked into adding this to AF in the past but since a kernel supporting it is needed I felt like it would be more pain for me (due to users who don't understand and devices with kernels that do not support init.d) than useful.

Perhaps I will revisit this though in a future build.

[malfunctioning]

I see, thank you for your prompt response.

I will look into this. I am running CM 10.1.2, and I am not sure if this is supported by the default kernel.

Regards.

[malfunctioning]

I just wanted to let you know what worked for me in CM 10.1.2.

I added a script to /data/local/userinit.d/ using the approach you suggested. That indeed blocked all traffic, but the problem is that Android Firewall apparently doesn't change the policies (just the rules), so unless you flush iptables manually traffic is not restored for any application).

What I did is add this script (/data/local/userinit.d/00iptables):

!/system/bin/sh

iptables -N droidwall iptables -I OUTPUT 1 -j droidwall -p all -s 0.0.0.0/0 -d 0.0.0.0/0 iptables -I droidwall 1 -j DROP -p all -s 0.0.0.0/0 -d 0.0.0.0/0

This works just fine, the way I intended it.

By the way, there is still a few UDP packets from the 1000 pid (Android System) which seems to be "dialing home". I see the droidwall chain rules provide for UDP traffic for pid 0 and 1000. What's the purpose of that?

Thanks.

[rmack]

Has anyone tested putting your device in airplane mode while rebooting? This might have the same impact as setting up iptables within init.d? If someone else has tested this please let me know and then I will not have to, thank you.

[malfunctioning]

The UDP rules I mentioned before are for DNS and NTP, so it seems OK.

@rmark: Yes, that's an obvious workaround, but it isn't elegant. Ideally you wouldn't have to do that.