Open Tanzin01 opened 2 years ago
nugel
commented
2 years ago Same here. I always have a notification saying that Swiftkey was denied internet n times, which is nice but after I open the keyboard, I can download themes and languages. It is alarming that the keyboard sent all my passwords and typing habits to Microsoft.
Android 12, Pixel 6 Pro. Version 3.5.2.1 from F-Droid and I didn't change any settings or upgrade the system since it worked last time.
bugbountyguy
commented
2 years ago I can confirm this is happening on Android 11 (LineageOS) as well. Also using version 3.5.2.1 from F-Droid. It's not just through PCap, but I see it on my network logs as well that it's successfully making external calls for these apps, so AFWall is definitely not blocking them like it should be.
In my case, it seems to only be for apps making an initial call. So if I remove an app from being allowed any kind of access, it typically makes an initial DNS request (which correctly forwards to my private DNS through the custom AFWall rules), and then throws an error after saying it's offline. That request does go through the network router though, so my guess is the initial calls are making it through or something and then being blocked after? Not sure I understand how that can happen, but I hope that helps debugging.
EDIT: I'm guessing it's related to this guy here:
Chain afwall-wifi-wan (1 references)
pkts bytes target prot opt in out source destination
12 744 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53It appears port 53 is just returned by default instead of only allowed through specific apps. Is there a reason for this, or should I just delete these 2 rules through an extra custom rules (removing those fails since they prob come AFTER custom scripts)? I see something about "making a hole" when private dns is not disabled, however I do have it disabled on my phone, so I'm going to take a wild guess that this check isn't valid in android 11+ or something (it's actually set to "off" on my phone, so not sure if the value changed): https://github.com/ukanth/afwall/blob/beta/app/src/main/java/dev/ukanth/ufirewall/Api.java#L850
Not sure why the 443 calls are being accepted above, but I'd suggest looking at the 'show rules' part of the app and seeing if you see anything like this in afwall-wifi-wan, @Tanzin01 - maybe that'll give us an idea of what's going on :thinking:
bugbountyguy
commented
2 years ago @Tanzin01 can you post the results from the following (run in termux or through adb as root): iptables-save
Or, can you see if the following Custom Rules work? "Enter custom script below."
iptables -I OUTPUT -p udp -m udp ! --dport 53 -m owner --uid-owner 0 -j DROP
iptables -I OUTPUT -p tcp -m tcp ! --dport 53 -m owner --uid-owner 0 -j DROP"Custom shutdown script"
iptables -D OUTPUT -p udp -m udp ! --dport 53 -m owner --uid-owner 0 -j DROP
iptables -D OUTPUT -p tcp -m tcp ! --dport 53 -m owner --uid-owner 0 -j DROPThis should force the firewall to drop all OUTPUT packets that are root (0) except the DNS requests (unless someone comes back to say my post is a bug instead of intended behavior these days)... These custom rules may be a good work around from what you're seeing, but not 100% sure they'll work in your case. Seeing iptables-save could definitely help troubleshoot
Tanzin01
commented
2 years ago Sorry for late reply. Im not much active on github/email. Saw your comments some time ago but was not in my stock rom. Yesterday reverted back to stock rom.
Here is iptables-save outputs-
`ptables-save <
*security :INPUT ACCEPT [21761:12192938] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [19236:1915623] COMMIT
*raw :PREROUTING ACCEPT [21900:12199744] :OUTPUT ACCEPT [20056:1956110] :bw_raw_PREROUTING - [0:0] :clat_raw_PREROUTING - [0:0] :idletimer_raw_PREROUTING - [0:0] :tetherctrl_raw_PREROUTING - [0:0] -A PREROUTING -j clat_raw_PREROUTING -A PREROUTING -j bw_raw_PREROUTING -A PREROUTING -j idletimer_raw_PREROUTING -A PREROUTING -j tetherctrl_raw_PREROUTING -A bw_raw_PREROUTING -i ipsec+ -j RETURN -A bw_raw_PREROUTING -m policy --dir in --pol ipsec -j RETURN -A bw_raw_PREROUTING -m bpf --object-pinned /sys/fs/bpf/prog_netd_skfilter_ingress_xtbpf -A idletimer_raw_PREROUTING -i wlan0 -j IDLETIMER --timeout 15 --label 1 --send_nl_msg 1 COMMIT
*nat :PREROUTING ACCEPT [155:8905] :INPUT ACCEPT [14:1443] :OUTPUT ACCEPT [469:133528] :POSTROUTING ACCEPT [466:133293] :oem_epdg_nat_POSTROUTING - [0:0] :oem_nat_pre - [0:0] :tetherctrl_nat_POSTROUTING - [0:0] -A PREROUTING -j oem_nat_pre -A POSTROUTING -j oem_epdg_nat_POSTROUTING -A POSTROUTING -j tetherctrl_nat_POSTROUTING COMMIT
*mangle :PREROUTING ACCEPT [21900:12199744] :INPUT ACCEPT [21761:12192938] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [20056:1956110] :POSTROUTING ACCEPT [19236:1915623] :bw_mangle_POSTROUTING - [0:0] :idletimer_mangle_POSTROUTING - [0:0] :oem_epdg_mangle_OUTPUT - [0:0] :oem_mangle_post - [0:0] :oem_mangle_pre - [0:0] :routectrl_mangle_INPUT - [0:0] :tetherctrl_mangle_FORWARD - [0:0] :wakeupctrl_mangle_INPUT - [0:0] -A PREROUTING -j oem_mangle_pre -A INPUT -j wakeupctrl_mangle_INPUT -A INPUT -j routectrl_mangle_INPUT -A FORWARD -j tetherctrl_mangle_FORWARD -A OUTPUT -j oem_epdg_mangle_OUTPUT -A POSTROUTING -j oem_mangle_post -A POSTROUTING -j bw_mangle_POSTROUTING -A POSTROUTING -j idletimer_mangle_POSTROUTING -A bw_mangle_POSTROUTING -o ipsec+ -j RETURN -A bw_mangle_POSTROUTING -m policy --dir out --pol ipsec -j RETURN -A bw_mangle_POSTROUTING -j MARK --set-xmark 0x0/0x100000 -A bw_mangle_POSTROUTING -m bpf --object-pinned /sys/fs/bpf/prog_netd_skfilter_egress_xtbpf -A idletimer_mangle_POSTROUTING -o wlan0 -j IDLETIMER --timeout 15 --label 1 --send_nl_msg 1 -A routectrl_mangle_INPUT -i wlan0 -j MARK --set-xmark 0x30064/0xffefffff -A tetherctrl_mangle_FORWARD -p tcp -m tcp --tcp-flags SYN SYN -j TCPMSS --clamp-mss-to-pmtu COMMIT
*filter :INPUT ACCEPT [2385:2090273] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [2159:250076] :afwall - [0:0] :afwall-3g - [0:0] :afwall-3g-fork - [0:0] :afwall-3g-home - [0:0] :afwall-3g-postcustom - [0:0] :afwall-3g-roam - [0:0] :afwall-3g-tether - [0:0] :afwall-input - [0:0] :afwall-reject - [0:0] :afwall-tether - [0:0] :afwall-tor - [0:0] :afwall-tor-reject - [0:0] :afwall-vpn - [0:0] :afwall-wifi - [0:0] :afwall-wifi-fork - [0:0] :afwall-wifi-lan - [0:0] :afwall-wifi-postcustom - [0:0] :afwall-wifi-tether - [0:0] :afwall-wifi-wan - [0:0] :bw_FORWARD - [0:0] :bw_INPUT - [0:0] :bw_OUTPUT - [0:0] :bw_costly_shared - [0:0] :bw_data_saver - [0:0] :bw_global_alert - [0:0] :bw_happy_box - [0:0] :bw_penalty_box - [0:0] :fw_FORWARD - [0:0] :fw_INPUT - [0:0] :fw_OUTPUT - [0:0] :oem_cta_all - [0:0] :oem_cta_mobile - [0:0] :oem_data - [0:0] :oem_fwd - [0:0] :oem_in - [0:0] :oem_out - [0:0] :oem_priot - [0:0] :oem_priou - [0:0] :st_OUTPUT - [0:0] :st_clear_caught - [0:0] :st_clear_detect - [0:0] :st_penalty_log - [0:0] :st_penalty_reject - [0:0] :tetherctrl_FORWARD - [0:0] :tetherctrl_counters - [0:0] -A INPUT -j bw_INPUT -A INPUT -j fw_INPUT -A INPUT -j oem_in -A FORWARD -j oem_fwd -A FORWARD -j fw_FORWARD -A FORWARD -j bw_FORWARD -A FORWARD -j tetherctrl_FORWARD -A OUTPUT -j afwall -A OUTPUT -j oem_out -A OUTPUT -j fw_OUTPUT -A OUTPUT -j st_OUTPUT -A OUTPUT -j bw_OUTPUT -A afwall -o eth+ -j afwall-wifi -A afwall -o wlan+ -j afwall-wifi -A afwall -o tiwlan+ -j afwall-wifi -A afwall -o ra+ -j afwall-wifi -A afwall -o bnep+ -j afwall-wifi -A afwall -o rmnet+ -j afwall-3g -A afwall -o pdp+ -j afwall-3g -A afwall -o uwbr+ -j afwall-3g -A afwall -o wimax+ -j afwall-3g -A afwall -o vsnet+ -j afwall-3g -A afwall -o rmnet_sdio+ -j afwall-3g -A afwall -o ccmni+ -j afwall-3g -A afwall -o qmi+ -j afwall-3g -A afwall -o svnet0+ -j afwall-3g -A afwall -o ccemni+ -j afwall-3g -A afwall -o wwan+ -j afwall-3g -A afwall -o cdma_rmnet+ -j afwall-3g -A afwall -o clat4+ -j afwall-3g -A afwall -o cc2mni+ -j afwall-3g -A afwall -o bond1+ -j afwall-3g -A afwall -o rmnet_smux+ -j afwall-3g -A afwall -o ccinet+ -j afwall-3g -A afwall -o v4-rmnet+ -j afwall-3g -A afwall -o seth_w+ -j afwall-3g -A afwall -o v4-rmnet_data+ -j afwall-3g -A afwall -o rmnet_ipa+ -j afwall-3g -A afwall -o rmnet_data+ -j afwall-3g -A afwall -o r_rmnet_data+ -j afwall-3g -A afwall-3g -j afwall-3g-postcustom -A afwall-3g-fork -j afwall-3g-home -A afwall-3g-home -p udp -m udp --dport 53 -j RETURN -A afwall-3g-home -p tcp -m tcp --dport 53 -j RETURN -A afwall-3g-home -m owner --uid-owner 10062 -j RETURN -A afwall-3g-home -m owner --uid-owner 10176 -j RETURN -A afwall-3g-home -m owner --uid-owner 10177 -j RETURN -A afwall-3g-home -m owner --uid-owner 10178 -j RETURN -A afwall-3g-home -m owner --uid-owner 10182 -j RETURN -A afwall-3g-home -m owner --uid-owner 10186 -j RETURN -A afwall-3g-home -m owner --uid-owner 10188 -j RETURN -A afwall-3g-home -m owner --uid-owner 10193 -j RETURN -A afwall-3g-home -m owner --uid-owner 10196 -j RETURN -A afwall-3g-home -m owner --uid-owner 10198 -j RETURN -A afwall-3g-home -m owner --uid-owner 10204 -j RETURN -A afwall-3g-home -m owner --uid-owner 10207 -j RETURN -A afwall-3g-home -p udp -m udp --dport 53 -m owner --uid-owner 0 -j RETURN -A afwall-3g-home -p tcp -m tcp --dport 53 -m owner --uid-owner 0 -j RETURN -A afwall-3g-home -j afwall-reject -A afwall-3g-postcustom -j afwall-3g-fork -A afwall-3g-roam -p udp -m udp --dport 53 -j RETURN -A afwall-3g-roam -p tcp -m tcp --dport 53 -j RETURN -A afwall-3g-roam -p udp -m udp --dport 53 -m owner --uid-owner 0 -j RETURN -A afwall-3g-roam -p tcp -m tcp --dport 53 -m owner --uid-owner 0 -j RETURN -A afwall-3g-roam -j afwall-reject -A afwall-3g-tether -j afwall-3g-fork -A afwall-reject -j NFLOG --nflog-prefix "{AFL}" --nflog-group 40 -A afwall-reject -j REJECT --reject-with icmp-port-unreachable -A afwall-tether -p udp -m udp --dport 53 -j RETURN -A afwall-tether -p tcp -m tcp --dport 53 -j RETURN -A afwall-tether -p udp -m udp --dport 53 -m owner --uid-owner 0 -j RETURN -A afwall-tether -p tcp -m tcp --dport 53 -m owner --uid-owner 0 -j RETURN -A afwall-tether -j afwall-reject -A afwall-vpn -p udp -m udp --dport 53 -j RETURN -A afwall-vpn -p tcp -m tcp --dport 53 -j RETURN -A afwall-vpn -p udp -m udp --dport 53 -m owner --uid-owner 0 -j RETURN -A afwall-vpn -p tcp -m tcp --dport 53 -m owner --uid-owner 0 -j RETURN -A afwall-vpn -j afwall-reject -A afwall-wifi -j afwall-wifi-postcustom -A afwall-wifi-fork -d 192.168.0.0/24 -j afwall-wifi-lan -A afwall-wifi-fork ! -d 192.168.0.0/24 -j afwall-wifi-wan -A afwall-wifi-lan -p udp -m udp --dport 53 -j RETURN -A afwall-wifi-lan -p tcp -m tcp --dport 53 -j RETURN -A afwall-wifi-lan -p udp -m udp --dport 53 -m owner --uid-owner 0 -j RETURN -A afwall-wifi-lan -p tcp -m tcp --dport 53 -m owner --uid-owner 0 -j RETURN -A afwall-wifi-lan -j afwall-reject -A afwall-wifi-postcustom -m owner --uid-owner 1014 -j RETURN -A afwall-wifi-postcustom -m owner --uid-owner 1010 -j RETURN -A afwall-wifi-postcustom -j afwall-wifi-fork -A afwall-wifi-tether -j afwall-wifi-fork -A afwall-wifi-wan -p udp -m udp --dport 53 -j RETURN -A afwall-wifi-wan -p tcp -m tcp --dport 53 -j RETURN -A afwall-wifi-wan -m owner --uid-owner 10062 -j RETURN -A afwall-wifi-wan -m owner --uid-owner 10176 -j RETURN -A afwall-wifi-wan -m owner --uid-owner 10177 -j RETURN -A afwall-wifi-wan -m owner --uid-owner 10178 -j RETURN -A afwall-wifi-wan -m owner --uid-owner 10182 -j RETURN -A afwall-wifi-wan -m owner --uid-owner 10186 -j RETURN -A afwall-wifi-wan -m owner --uid-owner 10188 -j RETURN -A afwall-wifi-wan -m owner --uid-owner 10193 -j RETURN -A afwall-wifi-wan -m owner --uid-owner 10196 -j RETURN -A afwall-wifi-wan -m owner --uid-owner 10198 -j RETURN -A afwall-wifi-wan -m owner --uid-owner 10204 -j RETURN -A afwall-wifi-wan -m owner --uid-owner 10207 -j RETURN -A afwall-wifi-wan -p udp -m udp --dport 53 -m owner --uid-owner 0 -j RETURN -A afwall-wifi-wan -p tcp -m tcp --dport 53 -m owner --uid-owner 0 -j RETURN -A afwall-wifi-wan -j afwall-reject -A bw_INPUT -j bw_global_alert -A bw_INPUT -p esp -j RETURN -A bw_INPUT -m mark --mark 0x100000/0x100000 -j RETURN -A bw_INPUT -j MARK --set-xmark 0x100000/0x100000 -A bw_OUTPUT -j bw_global_alert -A bw_OUTPUT -o ipsec+ -j RETURN -A bw_OUTPUT -m policy --dir out --pol ipsec -j RETURN -A bw_costly_shared -j bw_penalty_box -A bw_data_saver -j RETURN -A bw_global_alert -m quota2 ! --name globalAlert --quota 2097152 -A bw_happy_box -m bpf --object-pinned /sys/fs/bpf/prog_netd_skfilter_whitelist_xtbpf -j RETURN -A bw_happy_box -j bw_data_saver -A bw_penalty_box -m bpf --object-pinned /sys/fs/bpf/prog_netd_skfilter_blacklist_xtbpf -j REJECT --reject-with icmp-port-unreachable -A bw_penalty_box -j bw_happy_box -A oem_data -j oem_priou -A oem_data -j oem_priot -A oem_out -o ppp+ -j oem_cta_mobile -A oem_out -o ccmni+ -j oem_cta_mobile -A oem_out -o ccemni+ -j oem_cta_mobile -A oem_out -o usb+ -j oem_cta_mobile -A oem_out -o cc2mni+ -j oem_cta_mobile -A oem_out -j oem_cta_all -A oem_out -j oem_data -A st_clear_detect -m connmark --mark 0x2000000/0x2000000 -j REJECT --reject-with icmp-port-unreachable -A st_clear_detect -m connmark --mark 0x1000000/0x1000000 -j RETURN -A st_clear_detect -p tcp -m u32 --u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0&0xffff0000=0x16030000&&0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x4&0xff0000=0x10000" -j CONNMARK --set-xmark 0x1000000/0x1000000 -A st_clear_detect -p udp -m u32 --u32 "0x0>>0x16&0x3c@0x8&0xffff0000=0x16fe0000&&0x0>>0x16&0x3c@0x14&0xff0000=0x10000" -j CONNMARK --set-xmark 0x1000000/0x1000000 -A st_clear_detect -m connmark --mark 0x1000000/0x1000000 -j RETURN -A st_clear_detect -p tcp -m state --state ESTABLISHED -m u32 --u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0&0x0=0x0" -j st_clear_caught -A st_clear_detect -p udp -j st_clear_caught -A st_penalty_log -j CONNMARK --set-xmark 0x1000000/0x1000000 -A st_penalty_log -j NFLOG -A st_penalty_reject -j CONNMARK --set-xmark 0x2000000/0x2000000 -A st_penalty_reject -j NFLOG -A st_penalty_reject -j REJECT --reject-with icmp-port-unreachable -A tetherctrl_FORWARD -j DROP COMMIT
Hope it helps :)
Describe the bug "root" application is connecting to internet even though I have not allowed it. Firewall Logs Please get the log from Menu -> Show Rules -> (menu) Export to storage and attach it here IPv4rules.log
I'm using a app called pcapdroid to monitor network. On Android 10. Afwall version 3.5.2.1.
Screenshots
