ukanth / afwall

AFWall+ (Android Firewall +) - iptables based firewall for Android
GNU General Public License v3.0
2.81k stars 453 forks source link

some apps are connecting to internet when they shouldn't[ISSUE] #1265

Open Tanzin01 opened 2 years ago

Tanzin01 commented 2 years ago

Describe the bug "root" application is connecting to internet even though I have not allowed it. Firewall Logs Please get the log from Menu -> Show Rules -> (menu) Export to storage and attach it here IPv4rules.log

I'm using a app called pcapdroid to monitor network. On Android 10. Afwall version 3.5.2.1.

Screenshots Screenshot_20220129-021524 Screenshot_20220129-021414 Screenshot_20220129-025739

nugel commented 2 years ago

Same here. I always have a notification saying that Swiftkey was denied internet n times, which is nice but after I open the keyboard, I can download themes and languages. It is alarming that the keyboard sent all my passwords and typing habits to Microsoft.

Android 12, Pixel 6 Pro. Version 3.5.2.1 from F-Droid and I didn't change any settings or upgrade the system since it worked last time.

bugbountyguy commented 2 years ago

I can confirm this is happening on Android 11 (LineageOS) as well. Also using version 3.5.2.1 from F-Droid. It's not just through PCap, but I see it on my network logs as well that it's successfully making external calls for these apps, so AFWall is definitely not blocking them like it should be.

In my case, it seems to only be for apps making an initial call. So if I remove an app from being allowed any kind of access, it typically makes an initial DNS request (which correctly forwards to my private DNS through the custom AFWall rules), and then throws an error after saying it's offline. That request does go through the network router though, so my guess is the initial calls are making it through or something and then being blocked after? Not sure I understand how that can happen, but I hope that helps debugging.

EDIT: I'm guessing it's related to this guy here:

Chain afwall-wifi-wan (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   12   744 RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53

It appears port 53 is just returned by default instead of only allowed through specific apps. Is there a reason for this, or should I just delete these 2 rules through an extra custom rules (removing those fails since they prob come AFTER custom scripts)? I see something about "making a hole" when private dns is not disabled, however I do have it disabled on my phone, so I'm going to take a wild guess that this check isn't valid in android 11+ or something (it's actually set to "off" on my phone, so not sure if the value changed): https://github.com/ukanth/afwall/blob/beta/app/src/main/java/dev/ukanth/ufirewall/Api.java#L850

Not sure why the 443 calls are being accepted above, but I'd suggest looking at the 'show rules' part of the app and seeing if you see anything like this in afwall-wifi-wan, @Tanzin01 - maybe that'll give us an idea of what's going on :thinking:

bugbountyguy commented 2 years ago

@Tanzin01 can you post the results from the following (run in termux or through adb as root): iptables-save

Or, can you see if the following Custom Rules work? "Enter custom script below."

iptables -I OUTPUT -p udp -m udp ! --dport 53 -m owner --uid-owner 0 -j DROP
iptables -I OUTPUT -p tcp -m tcp ! --dport 53 -m owner --uid-owner 0 -j DROP

"Custom shutdown script"

iptables -D OUTPUT -p udp -m udp ! --dport 53 -m owner --uid-owner 0 -j DROP
iptables -D OUTPUT -p tcp -m tcp ! --dport 53 -m owner --uid-owner 0 -j DROP

This should force the firewall to drop all OUTPUT packets that are root (0) except the DNS requests (unless someone comes back to say my post is a bug instead of intended behavior these days)... These custom rules may be a good work around from what you're seeing, but not 100% sure they'll work in your case. Seeing iptables-save could definitely help troubleshoot

Tanzin01 commented 2 years ago

Sorry for late reply. Im not much active on github/email. Saw your comments some time ago but was not in my stock rom. Yesterday reverted back to stock rom.

Here is iptables-save outputs-

`ptables-save <

Generated by iptables-save v1.6.1 on Wed May 4 13:40:18 2022

*security :INPUT ACCEPT [21761:12192938] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [19236:1915623] COMMIT

Completed on Wed May 4 13:40:18 2022

Generated by iptables-save v1.6.1 on Wed May 4 13:40:18 2022

*raw :PREROUTING ACCEPT [21900:12199744] :OUTPUT ACCEPT [20056:1956110] :bw_raw_PREROUTING - [0:0] :clat_raw_PREROUTING - [0:0] :idletimer_raw_PREROUTING - [0:0] :tetherctrl_raw_PREROUTING - [0:0] -A PREROUTING -j clat_raw_PREROUTING -A PREROUTING -j bw_raw_PREROUTING -A PREROUTING -j idletimer_raw_PREROUTING -A PREROUTING -j tetherctrl_raw_PREROUTING -A bw_raw_PREROUTING -i ipsec+ -j RETURN -A bw_raw_PREROUTING -m policy --dir in --pol ipsec -j RETURN -A bw_raw_PREROUTING -m bpf --object-pinned /sys/fs/bpf/prog_netd_skfilter_ingress_xtbpf -A idletimer_raw_PREROUTING -i wlan0 -j IDLETIMER --timeout 15 --label 1 --send_nl_msg 1 COMMIT

Completed on Wed May 4 13:40:18 2022

Generated by iptables-save v1.6.1 on Wed May 4 13:40:18 2022

*nat :PREROUTING ACCEPT [155:8905] :INPUT ACCEPT [14:1443] :OUTPUT ACCEPT [469:133528] :POSTROUTING ACCEPT [466:133293] :oem_epdg_nat_POSTROUTING - [0:0] :oem_nat_pre - [0:0] :tetherctrl_nat_POSTROUTING - [0:0] -A PREROUTING -j oem_nat_pre -A POSTROUTING -j oem_epdg_nat_POSTROUTING -A POSTROUTING -j tetherctrl_nat_POSTROUTING COMMIT

Completed on Wed May 4 13:40:18 2022

Generated by iptables-save v1.6.1 on Wed May 4 13:40:18 2022

*mangle :PREROUTING ACCEPT [21900:12199744] :INPUT ACCEPT [21761:12192938] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [20056:1956110] :POSTROUTING ACCEPT [19236:1915623] :bw_mangle_POSTROUTING - [0:0] :idletimer_mangle_POSTROUTING - [0:0] :oem_epdg_mangle_OUTPUT - [0:0] :oem_mangle_post - [0:0] :oem_mangle_pre - [0:0] :routectrl_mangle_INPUT - [0:0] :tetherctrl_mangle_FORWARD - [0:0] :wakeupctrl_mangle_INPUT - [0:0] -A PREROUTING -j oem_mangle_pre -A INPUT -j wakeupctrl_mangle_INPUT -A INPUT -j routectrl_mangle_INPUT -A FORWARD -j tetherctrl_mangle_FORWARD -A OUTPUT -j oem_epdg_mangle_OUTPUT -A POSTROUTING -j oem_mangle_post -A POSTROUTING -j bw_mangle_POSTROUTING -A POSTROUTING -j idletimer_mangle_POSTROUTING -A bw_mangle_POSTROUTING -o ipsec+ -j RETURN -A bw_mangle_POSTROUTING -m policy --dir out --pol ipsec -j RETURN -A bw_mangle_POSTROUTING -j MARK --set-xmark 0x0/0x100000 -A bw_mangle_POSTROUTING -m bpf --object-pinned /sys/fs/bpf/prog_netd_skfilter_egress_xtbpf -A idletimer_mangle_POSTROUTING -o wlan0 -j IDLETIMER --timeout 15 --label 1 --send_nl_msg 1 -A routectrl_mangle_INPUT -i wlan0 -j MARK --set-xmark 0x30064/0xffefffff -A tetherctrl_mangle_FORWARD -p tcp -m tcp --tcp-flags SYN SYN -j TCPMSS --clamp-mss-to-pmtu COMMIT

Completed on Wed May 4 13:40:18 2022

Generated by iptables-save v1.6.1 on Wed May 4 13:40:18 2022

*filter :INPUT ACCEPT [2385:2090273] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [2159:250076] :afwall - [0:0] :afwall-3g - [0:0] :afwall-3g-fork - [0:0] :afwall-3g-home - [0:0] :afwall-3g-postcustom - [0:0] :afwall-3g-roam - [0:0] :afwall-3g-tether - [0:0] :afwall-input - [0:0] :afwall-reject - [0:0] :afwall-tether - [0:0] :afwall-tor - [0:0] :afwall-tor-reject - [0:0] :afwall-vpn - [0:0] :afwall-wifi - [0:0] :afwall-wifi-fork - [0:0] :afwall-wifi-lan - [0:0] :afwall-wifi-postcustom - [0:0] :afwall-wifi-tether - [0:0] :afwall-wifi-wan - [0:0] :bw_FORWARD - [0:0] :bw_INPUT - [0:0] :bw_OUTPUT - [0:0] :bw_costly_shared - [0:0] :bw_data_saver - [0:0] :bw_global_alert - [0:0] :bw_happy_box - [0:0] :bw_penalty_box - [0:0] :fw_FORWARD - [0:0] :fw_INPUT - [0:0] :fw_OUTPUT - [0:0] :oem_cta_all - [0:0] :oem_cta_mobile - [0:0] :oem_data - [0:0] :oem_fwd - [0:0] :oem_in - [0:0] :oem_out - [0:0] :oem_priot - [0:0] :oem_priou - [0:0] :st_OUTPUT - [0:0] :st_clear_caught - [0:0] :st_clear_detect - [0:0] :st_penalty_log - [0:0] :st_penalty_reject - [0:0] :tetherctrl_FORWARD - [0:0] :tetherctrl_counters - [0:0] -A INPUT -j bw_INPUT -A INPUT -j fw_INPUT -A INPUT -j oem_in -A FORWARD -j oem_fwd -A FORWARD -j fw_FORWARD -A FORWARD -j bw_FORWARD -A FORWARD -j tetherctrl_FORWARD -A OUTPUT -j afwall -A OUTPUT -j oem_out -A OUTPUT -j fw_OUTPUT -A OUTPUT -j st_OUTPUT -A OUTPUT -j bw_OUTPUT -A afwall -o eth+ -j afwall-wifi -A afwall -o wlan+ -j afwall-wifi -A afwall -o tiwlan+ -j afwall-wifi -A afwall -o ra+ -j afwall-wifi -A afwall -o bnep+ -j afwall-wifi -A afwall -o rmnet+ -j afwall-3g -A afwall -o pdp+ -j afwall-3g -A afwall -o uwbr+ -j afwall-3g -A afwall -o wimax+ -j afwall-3g -A afwall -o vsnet+ -j afwall-3g -A afwall -o rmnet_sdio+ -j afwall-3g -A afwall -o ccmni+ -j afwall-3g -A afwall -o qmi+ -j afwall-3g -A afwall -o svnet0+ -j afwall-3g -A afwall -o ccemni+ -j afwall-3g -A afwall -o wwan+ -j afwall-3g -A afwall -o cdma_rmnet+ -j afwall-3g -A afwall -o clat4+ -j afwall-3g -A afwall -o cc2mni+ -j afwall-3g -A afwall -o bond1+ -j afwall-3g -A afwall -o rmnet_smux+ -j afwall-3g -A afwall -o ccinet+ -j afwall-3g -A afwall -o v4-rmnet+ -j afwall-3g -A afwall -o seth_w+ -j afwall-3g -A afwall -o v4-rmnet_data+ -j afwall-3g -A afwall -o rmnet_ipa+ -j afwall-3g -A afwall -o rmnet_data+ -j afwall-3g -A afwall -o r_rmnet_data+ -j afwall-3g -A afwall-3g -j afwall-3g-postcustom -A afwall-3g-fork -j afwall-3g-home -A afwall-3g-home -p udp -m udp --dport 53 -j RETURN -A afwall-3g-home -p tcp -m tcp --dport 53 -j RETURN -A afwall-3g-home -m owner --uid-owner 10062 -j RETURN -A afwall-3g-home -m owner --uid-owner 10176 -j RETURN -A afwall-3g-home -m owner --uid-owner 10177 -j RETURN -A afwall-3g-home -m owner --uid-owner 10178 -j RETURN -A afwall-3g-home -m owner --uid-owner 10182 -j RETURN -A afwall-3g-home -m owner --uid-owner 10186 -j RETURN -A afwall-3g-home -m owner --uid-owner 10188 -j RETURN -A afwall-3g-home -m owner --uid-owner 10193 -j RETURN -A afwall-3g-home -m owner --uid-owner 10196 -j RETURN -A afwall-3g-home -m owner --uid-owner 10198 -j RETURN -A afwall-3g-home -m owner --uid-owner 10204 -j RETURN -A afwall-3g-home -m owner --uid-owner 10207 -j RETURN -A afwall-3g-home -p udp -m udp --dport 53 -m owner --uid-owner 0 -j RETURN -A afwall-3g-home -p tcp -m tcp --dport 53 -m owner --uid-owner 0 -j RETURN -A afwall-3g-home -j afwall-reject -A afwall-3g-postcustom -j afwall-3g-fork -A afwall-3g-roam -p udp -m udp --dport 53 -j RETURN -A afwall-3g-roam -p tcp -m tcp --dport 53 -j RETURN -A afwall-3g-roam -p udp -m udp --dport 53 -m owner --uid-owner 0 -j RETURN -A afwall-3g-roam -p tcp -m tcp --dport 53 -m owner --uid-owner 0 -j RETURN -A afwall-3g-roam -j afwall-reject -A afwall-3g-tether -j afwall-3g-fork -A afwall-reject -j NFLOG --nflog-prefix "{AFL}" --nflog-group 40 -A afwall-reject -j REJECT --reject-with icmp-port-unreachable -A afwall-tether -p udp -m udp --dport 53 -j RETURN -A afwall-tether -p tcp -m tcp --dport 53 -j RETURN -A afwall-tether -p udp -m udp --dport 53 -m owner --uid-owner 0 -j RETURN -A afwall-tether -p tcp -m tcp --dport 53 -m owner --uid-owner 0 -j RETURN -A afwall-tether -j afwall-reject -A afwall-vpn -p udp -m udp --dport 53 -j RETURN -A afwall-vpn -p tcp -m tcp --dport 53 -j RETURN -A afwall-vpn -p udp -m udp --dport 53 -m owner --uid-owner 0 -j RETURN -A afwall-vpn -p tcp -m tcp --dport 53 -m owner --uid-owner 0 -j RETURN -A afwall-vpn -j afwall-reject -A afwall-wifi -j afwall-wifi-postcustom -A afwall-wifi-fork -d 192.168.0.0/24 -j afwall-wifi-lan -A afwall-wifi-fork ! -d 192.168.0.0/24 -j afwall-wifi-wan -A afwall-wifi-lan -p udp -m udp --dport 53 -j RETURN -A afwall-wifi-lan -p tcp -m tcp --dport 53 -j RETURN -A afwall-wifi-lan -p udp -m udp --dport 53 -m owner --uid-owner 0 -j RETURN -A afwall-wifi-lan -p tcp -m tcp --dport 53 -m owner --uid-owner 0 -j RETURN -A afwall-wifi-lan -j afwall-reject -A afwall-wifi-postcustom -m owner --uid-owner 1014 -j RETURN -A afwall-wifi-postcustom -m owner --uid-owner 1010 -j RETURN -A afwall-wifi-postcustom -j afwall-wifi-fork -A afwall-wifi-tether -j afwall-wifi-fork -A afwall-wifi-wan -p udp -m udp --dport 53 -j RETURN -A afwall-wifi-wan -p tcp -m tcp --dport 53 -j RETURN -A afwall-wifi-wan -m owner --uid-owner 10062 -j RETURN -A afwall-wifi-wan -m owner --uid-owner 10176 -j RETURN -A afwall-wifi-wan -m owner --uid-owner 10177 -j RETURN -A afwall-wifi-wan -m owner --uid-owner 10178 -j RETURN -A afwall-wifi-wan -m owner --uid-owner 10182 -j RETURN -A afwall-wifi-wan -m owner --uid-owner 10186 -j RETURN -A afwall-wifi-wan -m owner --uid-owner 10188 -j RETURN -A afwall-wifi-wan -m owner --uid-owner 10193 -j RETURN -A afwall-wifi-wan -m owner --uid-owner 10196 -j RETURN -A afwall-wifi-wan -m owner --uid-owner 10198 -j RETURN -A afwall-wifi-wan -m owner --uid-owner 10204 -j RETURN -A afwall-wifi-wan -m owner --uid-owner 10207 -j RETURN -A afwall-wifi-wan -p udp -m udp --dport 53 -m owner --uid-owner 0 -j RETURN -A afwall-wifi-wan -p tcp -m tcp --dport 53 -m owner --uid-owner 0 -j RETURN -A afwall-wifi-wan -j afwall-reject -A bw_INPUT -j bw_global_alert -A bw_INPUT -p esp -j RETURN -A bw_INPUT -m mark --mark 0x100000/0x100000 -j RETURN -A bw_INPUT -j MARK --set-xmark 0x100000/0x100000 -A bw_OUTPUT -j bw_global_alert -A bw_OUTPUT -o ipsec+ -j RETURN -A bw_OUTPUT -m policy --dir out --pol ipsec -j RETURN -A bw_costly_shared -j bw_penalty_box -A bw_data_saver -j RETURN -A bw_global_alert -m quota2 ! --name globalAlert --quota 2097152 -A bw_happy_box -m bpf --object-pinned /sys/fs/bpf/prog_netd_skfilter_whitelist_xtbpf -j RETURN -A bw_happy_box -j bw_data_saver -A bw_penalty_box -m bpf --object-pinned /sys/fs/bpf/prog_netd_skfilter_blacklist_xtbpf -j REJECT --reject-with icmp-port-unreachable -A bw_penalty_box -j bw_happy_box -A oem_data -j oem_priou -A oem_data -j oem_priot -A oem_out -o ppp+ -j oem_cta_mobile -A oem_out -o ccmni+ -j oem_cta_mobile -A oem_out -o ccemni+ -j oem_cta_mobile -A oem_out -o usb+ -j oem_cta_mobile -A oem_out -o cc2mni+ -j oem_cta_mobile -A oem_out -j oem_cta_all -A oem_out -j oem_data -A st_clear_detect -m connmark --mark 0x2000000/0x2000000 -j REJECT --reject-with icmp-port-unreachable -A st_clear_detect -m connmark --mark 0x1000000/0x1000000 -j RETURN -A st_clear_detect -p tcp -m u32 --u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0&0xffff0000=0x16030000&&0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x4&0xff0000=0x10000" -j CONNMARK --set-xmark 0x1000000/0x1000000 -A st_clear_detect -p udp -m u32 --u32 "0x0>>0x16&0x3c@0x8&0xffff0000=0x16fe0000&&0x0>>0x16&0x3c@0x14&0xff0000=0x10000" -j CONNMARK --set-xmark 0x1000000/0x1000000 -A st_clear_detect -m connmark --mark 0x1000000/0x1000000 -j RETURN -A st_clear_detect -p tcp -m state --state ESTABLISHED -m u32 --u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0&0x0=0x0" -j st_clear_caught -A st_clear_detect -p udp -j st_clear_caught -A st_penalty_log -j CONNMARK --set-xmark 0x1000000/0x1000000 -A st_penalty_log -j NFLOG -A st_penalty_reject -j CONNMARK --set-xmark 0x2000000/0x2000000 -A st_penalty_reject -j NFLOG -A st_penalty_reject -j REJECT --reject-with icmp-port-unreachable -A tetherctrl_FORWARD -j DROP COMMIT

Completed on Wed May 4 13:40:18 2022`

Hope it helps :)