Mobile Data Limit bypassing AF rules on some devices

skullone commented 11 years ago

Currently investigating reports of this issue. Mobile Data limit does not break my Galaxy Nexus (toro) so further information is needed.

mikeymcmikenson commented 11 years ago

Mobile Data Limit breaks the AFon my Droid Razr Maxx running rooted stock 4.0.4. Turning off Mobile Data Limit re-enables firewall after I re-"apply rules" in AF

skullone commented 11 years ago

Mikey,

I need some extra information from you.

Install terminal emulator if you don't already have it. You can get it off the Play Store here: https://play.google.com/store/apps/details?id=jackpal.androidterm
Disable Mobile Data Limit.
Enable the firewall. 4 Open terminal emulator.
Type su and hit enter. Terminal emulator will ask for root access. Grant it root access.
type iptables -L and hit enter. Send me that output. Terminal Emulator has the ability to send that information through e-mail.
Enable Mobile Data Limit.
Repeat step 6.

Thanks!

-Jason

On Wed, Jan 16, 2013 at 11:00 PM, mikeymcmikenson notifications@github.comwrote:

Mobile Data Limit breaks the AFon my Droid Razr Maxx running rooted stock 4.0.4. Turning off Mobile Data Limit re-enables firewall after I re-"apply rules" in AF

— Reply to this email directly or view it on GitHubhttps://github.com/skullone/android_firewall/issues/9#issuecomment-12353547.

mikeymcmikenson commented 11 years ago

Jason,

Here you go. The first iptables is without mobile data little enabled and the second is with mobile data limit enabled.

Mike

Qapp_210@cdma_spyder:/ $ su root@cdma_spyder:/ # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination all -- anywhere anywhere ! quota globalAlert: 2097152 bytes ACCEPT all -- anywhere anywhere all -- anywhere anywhere owner socket exists

Chain FORWARD (policy DROP) target prot opt source destination oem_fwd all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT) target prot opt source destination all -- anywhere anywhere ! quota globalAlert: 2097152 bytes oem_out all -- anywhere anywhere ACCEPT all -- anywhere anywhere all -- anywhere anywhere owner socket exists droidwall all -- anywhere anywhere

Chain costly_shared (0 references) target prot opt source destination penalty_box all -- anywhere anywhere all -- anywhere anywhere owner socket exists ACCEPT all -- anywhere anywhere

Chain droidwall (1 references) target prot opt source destination FIX ME! implement getprotobynumber() bionic/libc/bionic/stubs.c:456 RETURN udp -- anywhere anywhere owner UID match root udp dpt:domain droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-wifi all -- anywhere anywhere droidwall-wifi all -- anywhere anywhere droidwall-wifi all -- anywhere anywhere droidwall-wifi all -- anywhere anywhere droidwall-wifi all -- anywhere anywhere droidwall-wifi all -- anywhere anywhere

Chain droidwall-3g (17 references) target prot opt source droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere destination anywhere owner UID match app_109 anywhere owner UID match app_154 anywhere owner UID match app_94 anywhere owner UID match app_95 anywhere owner UID match app_55 anywhere owner UID match app_92 anywhere owner UID match app_210 anywhere owner UID match app_192 anywhere owner UID match app_204 anywhere owner UID match app_197 anywhere owner UID match app_84 anywhere owner UID match app_201 anywhere owner UID match app_75 anywhere owner UID match app_52 anywhere owner UID match app_53 anywhere owner UID match app_168 anywhere owner UID match app_161 anywhere owner UID match app_17 anywhere owner UID match app_110 anywhere owner UID match app_163 anywhere owner UID match app_80 anywhere owner UID match app_165 anywhere owner UID match app_120 anywhere owner UID match app_164 anywhere owner UID match app_200 anywhere owner UID match app_31 anywhere owner UID match app_68 anywhere owner UID match app_134

Chain droidwall-reject (55 references) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain droidwall-wifi (6 references) target prot opt source destination droidwall-reject all -- anywhere anywhere owner UID match app_134 droidwall-reject all -- anywhere anywhere owner UID match app_68 droidwall-reject all -- anywhere anywhere owner UID match app_31 droidwall-reject all -- anywhere anywhere owner UID match app_200 droidwall-reject all -- anywhere anywhere owner UID match app_164 droidwall-reject all -- anywhere anywhere owner UID match app_120 droidwall-reject all -- anywhere anywhere owner UID match app_165 droidwall-reject all -- anywhere anywhere owner UID match app_80 droidwall-reject all -- anywhere anywhere owner UID match app_163 droidwall-reject all -- anywhere anywhere owner UID match app_17 droidwall-reject all -- anywhere anywhere owner UID match app_161 droidwall-reject all -- anywhere anywhere owner UID match app_168 droidwall-reject all -- anywhere anywhere owner UID match app_53 droidwall-reject all -- anywhere anywhere owner UID match app_52 droidwall-reject all -- anywhere anywhere owner UID match app_75 droidwall-reject all -- anywhere anywhere owner UID match app_201 droidwall-reject all -- anywhere anywhere owner UID match app_84 droidwall-reject all -- anywhere anywhere owner UID match app_197 droidwall-reject all -- anywhere anywhere owner UID match app_204 droidwall-reject all -- anywhere anywhere owner UID match app_192 droidwall-reject all -- anywhere anywhere owner UID match app_210 droidwall-reject all -- anywhere anywhere owner UID match app_92 droidwall-reject all -- anywhere anywhere owner UID match app_55 droidwall-reject all -- anywhere anywhere owner UID match app_95 droidwall-reject all -- anywhere anywhere owner UID match app_94 droidwall-reject all -- anywhere anywhere owner UID match app_154 droidwall-reject all -- anywhere anywhere owner UID match app_109

Chain oem_fwd (1 references) target prot opt source destination FIX ME! implement getnetbyaddr() bionic/libc/bionic/stubs.c:444 REJECT all -- anywhere 192.168.157.2 reject-with icmp-port-unreachable

Chain oem_out (1 references) target prot opt source destination FIX ME! implement getnetbyaddr() bionic/libc/bionic/stubs.c:444 oem_out_wrigley all -- anywhere 192.168.157.2

Chain oem_out_wrigley (1 references) target prot opt source destination FIX ME! implement getprotobynumber() bionic/libc/bionic/stubs.c:456 oem_out_wrigley_sens tcp -- anywhere anywhere tcp dpt:3265 FIX ME! implement getprotobynumber() bionic/libc/bionic/stubs.c:456 oem_out_wrigley_sens tcp -- anywhere anywhere tcp dpt:3267 FIX ME! implement getprotobynumber() bionic/libc/bionic/stubs.c:456 oem_out_wrigley_sens tcp -- anywhere anywhere tcp dpt:11000 oem_out_wrigley_other all -- anywhere anywhere

Chain oem_out_wrigley_other (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere owner UID match root ACCEPT all -- anywhere anywhere owner UID match radio ACCEPT all -- anywhere anywhere owner UID match log ACCEPT all -- anywhere anywhere owner UID match shell ACCEPT all -- anywhere anywhere owner UID match mot_tcmd REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain oem_out_wrigley_sens (3 references) target prot opt source destination ACCEPT all -- anywhere anywhere owner UID match root ACCEPT all -- anywhere anywhere owner UID match radio ACCEPT all -- anywhere anywhere owner UID match mot_tcmd REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain penalty_box (1 references) target prot opt source destination REJECT all -- anywhere anywhere owner UID match app_205 reject-with icmp-net-prohibited REJECT all -- anywhere anywhere owner UID match app_197 reject-with icmp-net-prohibited REJECT all -- anywhere anywhere owner UID match app_196 reject-with icmp-net-prohibited REJECT all -- anywhere anywhere owner UID match app_190 reject-with icmp-net-prohibited REJECT all -- anywhere anywhere owner UID match app_175 reject-with icmp-net-prohibited REJECT all -- anywhere anywhere owner UID match app_168 reject-with icmp-net-prohibited REJECT all -- anywhere anywhere owner UID match app_125 reject-with icmp-net-prohibited root@cdma_spyder:/ # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination all -- anywhere anywhere ! quota globalAlert: 2097152 bytes costly_rmnet1 all -- anywhere anywhere [goto] costly_rmnet0 all -- anywhere anywhere [goto] ACCEPT all -- anywhere anywhere all -- anywhere anywhere owner socket exists

Chain FORWARD (policy DROP) target prot opt source destination oem_fwd all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT) target prot opt source destination all -- anywhere anywhere ! quota globalAlert: 2097152 bytes costly_rmnet1 all -- anywhere anywhere [goto] costly_rmnet0 all -- anywhere anywhere [goto] oem_out all -- anywhere anywhere ACCEPT all -- anywhere anywhere all -- anywhere anywhere owner socket exists droidwall all -- anywhere anywhere

Chain costly_rmnet0 (2 references) target prot opt source destination REJECT all -- anywhere anywhere ! quota rmnet0: 3813511388 bytes reject-with icmp-net-prohibited penalty_box all -- anywhere anywhere all -- anywhere anywhere owner socket exists ACCEPT all -- anywhere anywhere

Chain costly_rmnet1 (2 references) target prot opt source destination REJECT all -- anywhere anywhere ! quota rmnet1: 3813511388 bytes reject-with icmp-net-prohibited penalty_box all -- anywhere anywhere all -- anywhere anywhere owner socket exists ACCEPT all -- anywhere anywhere

Chain costly_shared (0 references) target prot opt source destination penalty_box all -- anywhere anywhere all -- anywhere anywhere owner socket exists ACCEPT all -- anywhere anywhere

Chain droidwall (1 references) target prot opt source destination FIX ME! implement getprotobynumber() bionic/libc/bionic/stubs.c:456 RETURN udp -- anywhere anywhere owner UID match root udp dpt:domain droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-wifi all -- anywhere anywhere droidwall-wifi all -- anywhere anywhere droidwall-wifi all -- anywhere anywhere droidwall-wifi all -- anywhere anywhere droidwall-wifi all -- anywhere anywhere droidwall-wifi all -- anywhere anywhere

Chain droidwall-3g (17 references) target prot opt source destination droidwall-reject all -- anywhere anywhere owner UID match app_109 droidwall-reject all -- anywhere anywhere owner UID match app_154 droidwall-reject all -- anywhere anywhere owner UID match app_94 droidwall-reject all -- anywhere anywhere owner UID match app_95 droidwall-reject all -- anywhere anywhere owner UID match app_55 droidwall-reject all -- anywhere anywhere owner UID match app_92 droidwall-reject all -- anywhere anywhere owner UID match app_210 droidwall-reject all -- anywhere anywhere owner UID match app_192 droidwall-reject all -- anywhere anywhere owner UID match app_204 droidwall-reject all -- anywhere anywhere owner UID match app_197 droidwall-reject all -- anywhere anywhere owner UID match app_84 droidwall-reject all -- anywhere anywhere owner UID match app_201 droidwall-reject all -- anywhere anywhere owner UID match app_75 droidwall-reject all -- anywhere anywhere owner UID match app_52 droidwall-reject all -- anywhere anywhere owner UID match app_53 droidwall-reject all -- anywhere anywhere owner UID match app_168 droidwall-reject all -- anywhere anywhere owner UID match app_161 droidwall-reject all -- anywhere anywhere owner UID match app_17 droidwall-reject all -- anywhere anywhere owner UID match app_110 droidwall-reject all -- anywhere anywhere owner UID match app_163 droidwall-reject all -- anywhere anywhere owner UID match app_80 droidwall-reject all -- anywhere anywhere owner UID match app_165 droidwall-reject all -- anywhere anywhere owner UID match app_120 droidwall-reject all -- anywhere anywhere owner UID match app_164 droidwall-reject all -- anywhere anywhere owner UID match app_200 droidwall-reject all -- anywhere anywhere owner UID match app_31 droidwall-reject all -- anywhere anywhere owner UID match app_68 droidwall-reject all -- anywhere anywhere owner UID match app_134

Chain droidwall-reject (55 references) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain droidwall-wifi (6 references) target prot opt source destination droidwall-reject all -- anywhere anywhere owner UID match app_134 droidwall-reject all -- anywhere anywhere owner UID match app_68 droidwall-reject all -- anywhere anywhere owner UID match app_31 droidwall-reject all -- anywhere anywhere owner UID match app_200 droidwall-reject all -- anywhere anywhere owner UID match app_164 droidwall-reject all -- anywhere anywhere owner UID match app_120 droidwall-reject all -- anywhere anywhere owner UID match app_165 droidwall-reject all -- anywhere anywhere owner UID match app_80 droidwall-reject all -- anywhere anywhere owner UID match app_163 droidwall-reject all -- anywhere anywhere owner UID match app_17 droidwall-reject all -- anywhere anywhere owner UID match app_161 droidwall-reject all -- anywhere anywhere owner UID match app_168 droidwall-reject all -- anywhere anywhere owner UID match app_53 droidwall-reject all -- anywhere anywhere owner UID match app_52 droidwall-reject all -- anywhere anywhere owner UID match app_75 droidwall-reject all -- anywhere anywhere owner UID match app_201 droidwall-reject all -- anywhere anywhere owner UID match app_84 droidwall-reject all -- anywhere anywhere owner UID match app_197 droidwall-reject all -- anywhere anywhere owner UID match app_204 droidwall-reject all -- anywhere anywhere owner UID match app_192 droidwall-reject all -- anywhere anywhere owner UID match app_210 droidwall-reject all -- anywhere anywhere owner UID match app_92 droidwall-reject all -- anywhere anywhere owner UID match app_55 droidwall-reject all -- anywhere anywhere owner UID match app_95 droidwall-reject all -- anywhere anywhere owner UID match app_94 droidwall-reject all -- anywhere anywhere owner UID match app_154 droidwall-reject all -- anywhere anywhere owner UID match app_109

Chain oem_fwd (1 references) target prot opt source destination FIX ME! implement getnetbyaddr() bionic/libc/bionic/stubs.c:444 REJECT all -- anywhere 192.168.157.2 reject-with icmp-port-unreachable

Chain oem_out (1 references) target prot opt source destination FIX ME! implement getnetbyaddr() bionic/libc/bionic/stubs.c:444 oem_out_wrigley all -- anywhere 192.168.157.2

Chain oem_out_wrigley (1 references) target prot opt source destination FIX ME! implement getprotobynumber() bionic/libc/bionic/stubs.c:456 oem_out_wrigley_sens tcp -- anywhere anywhere tcp dpt:3265 FIX ME! implement getprotobynumber() bionic/libc/bionic/stubs.c:456 oem_out_wrigley_sens tcp -- anywhere anywhere tcp dpt:3267 FIX ME! implement getprotobynumber() bionic/libc/bionic/stubs.c:456 oem_out_wrigley_sens tcp -- anywhere anywhere tcp dpt:11000 oem_out_wrigley_other all -- anywhere anywhere

Chain oem_out_wrigley_other (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere owner UID match root ACCEPT all -- anywhere anywhere owner UID match radio ACCEPT all -- anywhere anywhere owner UID match log ACCEPT all -- anywhere anywhere owner UID match shell ACCEPT all -- anywhere anywhere owner UID match mot_tcmd REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain oem_out_wrigley_sens (3 references) target prot opt source destination ACCEPT all -- anywhere anywhere owner UID match root ACCEPT all -- anywhere anywhere owner UID match radio ACCEPT all -- anywhere anywhere owner UID match mot_tcmd REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain penalty_box (3 references) target prot opt source destination REJECT all -- anywhere anywhere owner UID match app_205 reject-with icmp-net-prohibited REJECT all -- anywhere anywhere owner UID match app_197 reject-with icmp-net-prohibited REJECT all -- anywhere anywhere owner UID match app_196 reject-with icmp-net-prohibited REJECT all -- anywhere anywhere owner UID match app_190 reject-with icmp-net-prohibited REJECT all -- anywhere anywhere owner UID match app_175 reject-with icmp-net-prohibited REJECT all -- anywhere anywhere owner UID match app_168 reject-with icmp-net-prohibited REJECT all -- anywhere anywhere owner UID match app_125 reject-with icmp-net-prohibited root@cdma_spyder:/ #

-----Original Message-----

From: Jason Tschohl Sent: 17 Jan 2013 12:00:19 GMT To: skullone/android_firewall Cc: mikeymcmikenson Subject: Re: [android_firewall] Mobile Data Limit bypassing AF rules on some devices (#9)

Mikey,

I need some extra information from you.

Install terminal emulator if you don't already have it. You can get it off the Play Store here: https://play.google.com/store/apps/details?id=jackpal.androidterm
Disable Mobile Data Limit.
Enable the firewall. 4 Open terminal emulator.
Type su and hit enter. Terminal emulator will ask for root access. Grant it root access.
type iptables -L and hit enter. Send me that output. Terminal Emulator has the ability to send that information through e-mail.
Enable Mobile Data Limit.
Repeat step 6.

Thanks!

-Jason

On Wed, Jan 16, 2013 at 11:00 PM, mikeymcmikenson notifications@github.comwrote:

Mobile Data Limit breaks the AFon my Droid Razr Maxx running rooted stock 4.0.4. Turning off Mobile Data Limit re-enables firewall after I re-"apply rules" in AF

— Reply to this email directly or view it on GitHubhttps://github.com/skullone/android_firewall/issues/9#issuecomment-12353547.

Reply to this email directly or view it on GitHub: https://github.com/skullone/android_firewall/issues/9#issuecomment-12365118

skullone commented 11 years ago

Thanks Mikey. That's what I'm looking for.

Can you send me the output from this command as well? Same way you did the other one. So I need the data with the firewall enabled and data limit on and data limit off.

iptables --list OUTPUT --verbose

Thanks!

-Jason

On Sat, Jan 19, 2013 at 7:10 PM, mikeymcmikenson notifications@github.comwrote:

Jason,

Here you go. The first iptables is without mobile data little enabled and the second is with mobile data limit enabled.

Mike

Qapp_210@cdma_spyder:/ $ su root@cdma_spyder:/ # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination all -- anywhere anywhere ! quota globalAlert: 2097152 bytes ACCEPT all -- anywhere anywhere all -- anywhere anywhere owner socket exists

Chain FORWARD (policy DROP) target prot opt source destination oem_fwd all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT) target prot opt source destination all -- anywhere anywhere ! quota globalAlert: 2097152 bytes oem_out all -- anywhere anywhere ACCEPT all -- anywhere anywhere all -- anywhere anywhere owner socket exists droidwall all -- anywhere anywhere

Chain costly_shared (0 references) target prot opt source destination penalty_box all -- anywhere anywhere all -- anywhere anywhere owner socket exists ACCEPT all -- anywhere anywhere

Chain droidwall (1 references) target prot opt source destination FIX ME! implement getprotobynumber() bionic/libc/bionic/stubs.c:456 RETURN udp -- anywhere anywhere owner UID match root udp dpt:domain droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-wifi all -- anywhere anywhere droidwall-wifi all -- anywhere anywhere droidwall-wifi all -- anywhere anywhere droidwall-wifi all -- anywhere anywhere droidwall-wifi all -- anywhere anywhere droidwall-wifi all -- anywhere anywhere

Chain droidwall-3g (17 references) target prot opt source destination droidwall-reject all -- anywhere anywhere owner UID match app_109 droidwall-reject all -- anywhere anywhere owner UID match app_154 droidwall-reject all -- anywhere anywhere owner UID match app_94 droidwall-reject all -- anywhere anywhere owner UID match app_95 droidwall-reject all -- anywhere anywhere owner UID match app_55 droidwall-reject all -- anywhere anywhere owner UID match app_92 droidwall-reject all -- anywhere anywhere owner UID match app_210 droidwall-reject all -- anywhere anywhere owner UID match app_192 droidwall-reject all -- anywhere anywhere owner UID match app_204 droidwall-reject all -- anywhere anywhere owner UID match app_197 droidwall-reject all -- anywhere anywhere owner UID match app_84 droidwall-reject all -- anywhere anywhere owner UID match app_201 droidwall-reject all -- anywhere anywhere owner UID match app_75 droidwall-reject all -- anywhere anywhere owner UID match app_52 droidwall-reject all -- anywhere anywhere owner UID match app_53 droidwall-reject all -- anywhere anywhere owner UID match app_168 droidwall-reject all -- anywhere anywhere owner UID match app_161 droidwall-reject all -- anywhere anywhere owner UID match app_17 droidwall-reject all -- anywhere anywhere owner UID match app_110 droidwall-reject all -- anywhere anywhere owner UID match app_163 droidwall-reject all -- anywhere anywhere owner UID match app_80 droidwall-reject all -- anywhere anywhere owner UID match app_165 droidwall-reject all -- anywhere anywhere owner UID match app_120 droidwall-reject all -- anywhere anywhere owner UID match app_164 droidwall-reject all -- anywhere anywhere owner UID match app_200 droidwall-reject all -- anywhere anywhere owner UID match app_31 droidwall-reject all -- anywhere anywhere owner UID match app_68 droidwall-reject all -- anywhere anywhere owner UID match app_134

Chain droidwall-reject (55 references) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain droidwall-wifi (6 references) target prot opt source destination droidwall-reject all -- anywhere anywhere owner UID match app_134 droidwall-reject all -- anywhere anywhere owner UID match app_68 droidwall-reject all -- anywhere anywhere owner UID match app_31 droidwall-reject all -- anywhere anywhere owner UID match app_200 droidwall-reject all -- anywhere anywhere owner UID match app_164 droidwall-reject all -- anywhere anywhere owner UID match app_120 droidwall-reject all -- anywhere anywhere owner UID match app_165 droidwall-reject all -- anywhere anywhere owner UID match app_80 droidwall-reject all -- anywhere anywhere owner UID match app_163 droidwall-reject all -- anywhere anywhere owner UID match app_17 droidwall-reject all -- anywhere anywhere owner UID match app_161 droidwall-reject all -- anywhere anywhere owner UID match app_168 droidwall-reject all -- anywhere anywhere owner UID match app_53 droidwall-reject all -- anywhere anywhere owner UID match app_52 droidwall-reject all -- anywhere anywhere owner UID match app_75 droidwall-reject all -- anywhere anywhere owner UID match app_201 droidwall-reject all -- anywhere anywhere owner UID match app_84 droidwall-reject all -- anywhere anywhere owner UID match app_197 droidwall-reject all -- anywhere anywhere owner UID match app_204 droidwall-reject all -- anywhere anywhere owner UID match app_192 droidwall-reject all -- anywhere anywhere owner UID match app_210 droidwall-reject all -- anywhere anywhere owner UID match app_92 droidwall-reject all -- anywhere anywhere owner UID match app_55 droidwall-reject all -- anywhere anywhere owner UID match app_95 droidwall-reject all -- anywhere anywhere owner UID match app_94 droidwall-reject all -- anywhere anywhere owner UID match app_154 droidwall-reject all -- anywhere anywhere owner UID match app_109

Chain oem_fwd (1 references) target prot opt source destination FIX ME! implement getnetbyaddr() bionic/libc/bionic/stubs.c:444 REJECT all -- anywhere 192.168.157.2 reject-with icmp-port-unreachable

Chain oem_out (1 references) target prot opt source destination FIX ME! implement getnetbyaddr() bionic/libc/bionic/stubs.c:444 oem_out_wrigley all -- anywhere 192.168.157.2

Chain oem_out_wrigley (1 references) target prot opt source destination FIX ME! implement getprotobynumber() bionic/libc/bionic/stubs.c:456 oem_out_wrigley_sens tcp -- anywhere anywhere tcp dpt:3265 FIX ME! implement getprotobynumber() bionic/libc/bionic/stubs.c:456 oem_out_wrigley_sens tcp -- anywhere anywhere tcp dpt:3267 FIX ME! implement getprotobynumber() bionic/libc/bionic/stubs.c:456 oem_out_wrigley_sens tcp -- anywhere anywhere tcp dpt:11000 oem_out_wrigley_other all -- anywhere anywhere

Chain oem_out_wrigley_other (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere owner UID match root ACCEPT all -- anywhere anywhere owner UID match radio ACCEPT all -- anywhere anywhere owner UID match log ACCEPT all -- anywhere anywhere owner UID match shell ACCEPT all -- anywhere anywhere owner UID match mot_tcmd REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain oem_out_wrigley_sens (3 references) target prot opt source destination ACCEPT all -- anywhere anywhere owner UID match root ACCEPT all -- anywhere anywhere owner UID match radio ACCEPT all -- anywhere anywhere owner UID match mot_tcmd REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain penalty_box (1 references) target prot opt source destination REJECT all -- anywhere anywhere owner UID match app_205 reject-with icmp-net-prohibited REJECT all -- anywhere anywhere owner UID match app_197 reject-with icmp-net-prohibited REJECT all -- anywhere anywhere owner UID match app_196 reject-with icmp-net-prohibited REJECT all -- anywhere anywhere owner UID match app_190 reject-with icmp-net-prohibited REJECT all -- anywhere anywhere owner UID match app_175 reject-with icmp-net-prohibited REJECT all -- anywhere anywhere owner UID match app_168 reject-with icmp-net-prohibited REJECT all -- anywhere anywhere owner UID match app_125 reject-with icmp-net-prohibited root@cdma_spyder:/ # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination all -- anywhere anywhere ! quota globalAlert: 2097152 bytes costly_rmnet1 all -- anywhere anywhere [goto] costly_rmnet0 all -- anywhere anywhere [goto] ACCEPT all -- anywhere anywhere all -- anywhere anywhere owner socket exists

Chain FORWARD (policy DROP) target prot opt source destination oem_fwd all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT) target prot opt source destination all -- anywhere anywhere ! quota globalAlert: 2097152 bytes costly_rmnet1 all -- anywhere anywhere [goto] costly_rmnet0 all -- anywhere anywhere [goto] oem_out all -- anywhere anywhere ACCEPT all -- anywhere anywhere all -- anywhere anywhere owner socket exists droidwall all -- anywhere anywhere

Chain costly_rmnet0 (2 references) target prot opt source destination REJECT all -- anywhere anywhere ! quota rmnet0: 3813511388 bytes reject-with icmp-net-prohibited penalty_box all -- anywhere anywhere all -- anywhere anywhere owner socket exists ACCEPT all -- anywhere anywhere

Chain costly_rmnet1 (2 references) target prot opt source destination REJECT all -- anywhere anywhere ! quota rmnet1: 3813511388 bytes reject-with icmp-net-prohibited penalty_box all -- anywhere anywhere all -- anywhere anywhere owner socket exists ACCEPT all -- anywhere anywhere

Chain costly_shared (0 references) target prot opt source destination penalty_box all -- anywhere anywhere all -- anywhere anywhere owner socket exists ACCEPT all -- anywhere anywhere

Chain droidwall (1 references) target prot opt source destination FIX ME! implement getprotobynumber() bionic/libc/bionic/stubs.c:456 RETURN udp -- anywhere anywhere owner UID match root udp dpt:domain droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-3g all -- anywhere anywhere droidwall-wifi all -- anywhere anywhere droidwall-wifi all -- anywhere anywhere droidwall-wifi all -- anywhere anywhere droidwall-wifi all -- anywhere anywhere droidwall-wifi all -- anywhere anywhere droidwall-wifi all -- anywhere anywhere

Chain droidwall-3g (17 references) target prot opt source destination droidwall-reject all -- anywhere anywhere owner UID match app_109 droidwall-reject all -- anywhere anywhere owner UID match app_154 droidwall-reject all -- anywhere anywhere owner UID match app_94 droidwall-reject all -- anywhere anywhere owner UID match app_95 droidwall-reject all -- anywhere anywhere owner UID match app_55 droidwall-reject all -- anywhere anywhere owner UID match app_92 droidwall-reject all -- anywhere anywhere owner UID match app_210 droidwall-reject all -- anywhere anywhere owner UID match app_192 droidwall-reject all -- anywhere anywhere owner UID match app_204 droidwall-reject all -- anywhere anywhere owner UID match app_197 droidwall-reject all -- anywhere anywhere owner UID match app_84 droidwall-reject all -- anywhere anywhere owner UID match app_201 droidwall-reject all -- anywhere anywhere owner UID match app_75 droidwall-reject all -- anywhere anywhere owner UID match app_52 droidwall-reject all -- anywhere anywhere owner UID match app_53 droidwall-reject all -- anywhere anywhere owner UID match app_168 droidwall-reject all -- anywhere anywhere owner UID match app_161 droidwall-reject all -- anywhere anywhere owner UID match app_17 droidwall-reject all -- anywhere anywhere owner UID match app_110 droidwall-reject all -- anywhere anywhere owner UID match app_163 droidwall-reject all -- anywhere anywhere owner UID match app_80 droidwall-reject all -- anywhere anywhere owner UID match app_165 droidwall-reject all -- anywhere anywhere owner UID match app_120 droidwall-reject all -- anywhere anywhere owner UID match app_164 droidwall-reject all -- anywhere anywhere owner UID match app_200 droidwall-reject all -- anywhere anywhere owner UID match app_31 droidwall-reject all -- anywhere anywhere owner UID match app_68 droidwall-reject all -- anywhere anywhere owner UID match app_134

Chain droidwall-reject (55 references) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain droidwall-wifi (6 references) target prot opt source destination droidwall-reject all -- anywhere anywhere owner UID match app_134 droidwall-reject all -- anywhere anywhere owner UID match app_68 droidwall-reject all -- anywhere anywhere owner UID match app_31 droidwall-reject all -- anywhere anywhere owner UID match app_200 droidwall-reject all -- anywhere anywhere owner UID match app_164 droidwall-reject all -- anywhere anywhere owner UID match app_120 droidwall-reject all -- anywhere anywhere owner UID match app_165 droidwall-reject all -- anywhere anywhere owner UID match app_80 droidwall-reject all -- anywhere anywhere owner UID match app_163 droidwall-reject all -- anywhere anywhere owner UID match app_17 droidwall-reject all -- anywhere anywhere owner UID match app_161 droidwall-reject all -- anywhere anywhere owner UID match app_168 droidwall-reject all -- anywhere anywhere owner UID match app_53 droidwall-reject all -- anywhere anywhere owner UID match app_52 droidwall-reject all -- anywhere anywhere owner UID match app_75 droidwall-reject all -- anywhere anywhere owner UID match app_201 droidwall-reject all -- anywhere anywhere owner UID match app_84 droidwall-reject all -- anywhere anywhere owner UID match app_197 droidwall-reject all -- anywhere anywhere owner UID match app_204 droidwall-reject all -- anywhere anywhere owner UID match app_192 droidwall-reject all -- anywhere anywhere owner UID match app_210 droidwall-reject all -- anywhere anywhere owner UID match app_92 droidwall-reject all -- anywhere anywhere owner UID match app_55 droidwall-reject all -- anywhere anywhere owner UID match app_95 droidwall-reject all -- anywhere anywhere owner UID match app_94 droidwall-reject all -- anywhere anywhere owner UID match app_154 droidwall-reject all -- anywhere anywhere owner UID match app_109

Chain oem_fwd (1 references) target prot opt source destination FIX ME! implement getnetbyaddr() bionic/libc/bionic/stubs.c:444 REJECT all -- anywhere 192.168.157.2 reject-with icmp-port-unreachable

Chain oem_out (1 references) target prot opt source destination FIX ME! implement getnetbyaddr() bionic/libc/bionic/stubs.c:444 oem_out_wrigley all -- anywhere 192.168.157.2

Chain oem_out_wrigley (1 references) target prot opt source destination FIX ME! implement getprotobynumber() bionic/libc/bionic/stubs.c:456 oem_out_wrigley_sens tcp -- anywhere anywhere tcp dpt:3265 FIX ME! implement getprotobynumber() bionic/libc/bionic/stubs.c:456 oem_out_wrigley_sens tcp -- anywhere anywhere tcp dpt:3267 FIX ME! implement getprotobynumber() bionic/libc/bionic/stubs.c:456 oem_out_wrigley_sens tcp -- anywhere anywhere tcp dpt:11000 oem_out_wrigley_other all -- anywhere anywhere

Chain oem_out_wrigley_other (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere owner UID match root ACCEPT all -- anywhere anywhere owner UID match radio ACCEPT all -- anywhere anywhere owner UID match log ACCEPT all -- anywhere anywhere owner UID match shell ACCEPT all -- anywhere anywhere owner UID match mot_tcmd REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain oem_out_wrigley_sens (3 references) target prot opt source destination ACCEPT all -- anywhere anywhere owner UID match root ACCEPT all -- anywhere anywhere owner UID match radio ACCEPT all -- anywhere anywhere owner UID match mot_tcmd REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain penalty_box (3 references) target prot opt source destination REJECT all -- anywhere anywhere owner UID match app_205 reject-with icmp-net-prohibited REJECT all -- anywhere anywhere owner UID match app_197 reject-with icmp-net-prohibited REJECT all -- anywhere anywhere owner UID match app_196 reject-with icmp-net-prohibited REJECT all -- anywhere anywhere owner UID match app_190 reject-with icmp-net-prohibited REJECT all -- anywhere anywhere owner UID match app_175 reject-with icmp-net-prohibited REJECT all -- anywhere anywhere owner UID match app_168 reject-with icmp-net-prohibited REJECT all -- anywhere anywhere owner UID match app_125 reject-with icmp-net-prohibited root@cdma_spyder:/ #

-----Original Message-----

From: Jason Tschohl Sent: 17 Jan 2013 12:00:19 GMT To: skullone/android_firewall Cc: mikeymcmikenson Subject: Re: [android_firewall] Mobile Data Limit bypassing AF rules on some devices (#9)

Mikey,

I need some extra information from you.

Install terminal emulator if you don't already have it. You can get it off the Play Store here: https://play.google.com/store/apps/details?id=jackpal.androidterm

Disable Mobile Data Limit.

Enable the firewall. 4 Open terminal emulator.

Type su and hit enter. Terminal emulator will ask for root access. Grant it root access.

type iptables -L and hit enter. Send me that output. Terminal Emulator has the ability to send that information through e-mail.

Enable Mobile Data Limit.

Repeat step 6.

Thanks!

-Jason

On Wed, Jan 16, 2013 at 11:00 PM, mikeymcmikenson notifications@github.comwrote:

Mobile Data Limit breaks the AFon my Droid Razr Maxx running rooted stock 4.0.4. Turning off Mobile Data Limit re-enables firewall after I re-"apply rules" in AF

Reply to this email directly or view it on GitHub< https://github.com/skullone/android_firewall/issues/9#issuecomment-12353547>.

Reply to this email directly or view it on GitHub: https://github.com/skullone/android_firewall/issues/9#issuecomment-12365118

Reply to this email directly or view it on GitHubhttps://github.com/skullone/android_firewall/issues/9#issuecomment-12463630.

mikeymcmikenson commented 11 years ago

Mobile data limit on, then off: (ps this is a problem that has existed since droidwall. I checked it too)

app_210@cdma_spyder:/ $ su root@cdma_spyder:/ # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination all -- anywhere anywhere ! quota globalAlert: 2097152 bytes ACCEPT all -- anywhere anywhere all -- anywhere anywhere owner socket exists