connection not blocked

[duud]

I've blocked all apps. After a reboot I'm seeing this in netstat.

 $ netstat
Proto Recv-Q Send-Q Local Address          Foreign Address        State
tcp6       0      0 ::ffff:192.168.1.2:39201 ::ffff:216.58.213.14:80 ESTABLISHED

[ukanth]

Do you have "Fix startup data leak" enabled ?

[duud]

Yes

[duud]

I'm on cm12.1 and it doesn't execute init.d scripts: https://github.com/EthACKdotOrg/orWall/issues/79

[duud]

Sorry, but I don't understand how ::ffff:192.168.1.2 is related to router/dhcp. 192.168.1.2 is the IP of my android device.

[duud]

There must be some misunderstanding, maybe I'm overseeing something... Just to be sure: I ran the netstat command on my android phone which is running afwall+, not on my router, I didn't whitelist any application in afwalls interface, so everything (despite DNS) should be blocked, which works since e.g. my browser app is blocked properly. I'm not sure why the connection I posted above should be allowed in order to not break port 80

[c3ph3us]

"This isn't spying it's just a security feature " - & could work as backdoor...

[c3ph3us]

i use cm but its based on aosp = google they share the same bugs - i contribute to aosp so i know how full of holes like Swiss cheese it is ...

whole google api could be compromise as simple as .... " hushhhh... just use reflections" & i didnt get from security manager any single exception from time i used reflections - from beginning? - i don't know if android got any :D - specialy when gets now to SE linux ... u can simple - but there is one possibility for system to be compromised resisted - as ROM system - with no write access to system files :D - when u can write into memory its not secure .

[c3ph3us]

second matter if u want to have not compromised system - unplug internet cable :D

[bfritz]

@CHEF-KOCH can you expand on this statement?

The OS have certain aspects which can't be blocked by AFWall+, or not for 'normal' users. E.g. as mentioned to block the entire domain will also destroy the safe browsing mechanism or the ability to submit apk checks.

I am trying to reconcile it with my mental model of AFWall+ as an iptables rule generator (like ufw, Shorewall, etc.). Understandably AFWall+ won't block connections that are started prior to the rules being loaded into netfilter. But after AFWall+ is running (in whiltelist mode), I assumed the default policy for outbound traffic would be REJECT and there would be very few default exceptions--perhaps just DNS and DHCP. Seeing an HTTP socket back to Google (or CM) would surprise me as well.

Am I overlooking something about how traffic might bypass netfilter despite whiltelist mode? Or a set of behind-the-scenes exceptions AFWall+ makes anticipating certain user expectations?

Thanks.

[duud]

I dont't have any google apps installed.

Sorry for not providing the logs, just need to find some free time...

[c3ph3us]

@CHEF-KOCH with respect - dns spoofing arp spoofing dns poisoning etc ? how sure u are if connection is not secured - ssl ? etc ? no so any unsecure connection with no valid encryption protocol should be consider as not safe!

[c3ph3us]

@CHEF-KOCH i have one request if u like coding wanna do more realiable for security app - add module which will build list of ip's when app tries establish a connection (for every app-uid ) to filter them white/black list and options to ask user if should allow connection to certain ip - then filtering ports and protocols will not be necessary - that should be option for advanced users - consider this: app should connect to one ip or cannonical name (Depends) -but also is establishing connections to crashilics, analitycis , acra, adwords andsens etc .. which normally u not aware .. then u can control yr privacy better - this is good firewall ! yr is based on protocol port uid filtering - its too little to become a good protection app called firewall

yes i im aware of browsers - so ther should be a switch to allow all network traffic of to filter trafic for app uid

[c3ph3us]

im devoloping web based aps so i know how socked comunication is handled in android / i proposed this as module for advanced user to give them more control over app activity

• for first -> user will be informed of app action is trying to establish connection -> let user decide to allow or not - if it is aware of consequences (its the same as now by uid u dont know which app is responsible for what action u can only guess :) - that was in my case when i want to enable tether over usb :D what to enable or what to disable ? dns ? lan ? then i enabled all - AND THAT DID ALLOWED MY PHONE TO DO ANYTHING - u need more informed app for basic user & some options for advanced user ( create basic profilesexample for certain types of activity ) - thats only my little advice to consider
• yr app is blocking acces on app level / but i wish to distinguish what app is allowed to do or not
• see on any firewall -> simple mode (MALWARE PROTECTION) -> advanced mode ( FIREWALL) (learning mode, auto mode)

"But's getting now more off-topic." if u want to develope aplication and move forward u need to go step ahead :) port / protocol control -> then app filtering join forces with @EthACK - both have better chances to speed up :) i can also help if u want in some parts :D i like coding

ps how this can be done:

• create a demon app (will start with system and live across reboots)
• create a chain to iptables which will redirect all trafic thru app
• app will show dialog: app xxx is trying to establish connection on port ... to ip/name --> allow --> block --> auto (some rules)
• write provider to handle rules (use cursor & sqlite to store /handle record)

2015-10-06 19:45 GMT+02:00 CHEF-KOCH notifications@github.com:

The mentioned attacks also affects 'secured' DNS stuff/software/channels too, e.g. the ip leakage problem under Windows 8 up to 10 due new 'network changes'. The entire I block xy IP and be secure is useless. one of the best examples I know is explained over here https://torrentfreak.com/anti-piracy-blocklists-dont-keep-bittorrent-spies-out-120904/. So I doubt that you can 'secure' the phone with such techniques. Imho we need better protocols for that. / But it's just another topic.

add module which will build list of ip's when app tries establish a connection (for every app-uid ) to filter them

Google uses over 260.000+ IP's, loading them into the custom filters will slow down the machine, sure you could use the CIDR notation and the entire iprange (or ipset) but that won't change the fact if the app or services maybe use a separate tunnel which would need additional user interaction to really block or 'control' it.

The logic behind to block single ip's is complex, for example block a bunch of ip's with custom script doesn't mean you not seen any ad's anymore (it could be cached offline) because the server is maybe hosted on cloudflare which also use a lot of ipranges or the app changed to implement other techniques that definitely can't controlled by AFWall+.

Another problem is that the app/process spawns another separate process or init, the currently public iptables is very limited on this.

But's getting now more off-topic.

— Reply to this email directly or view it on GitHub https://github.com/ukanth/afwall/issues/440#issuecomment-145942688.

[c3ph3us]

set one in & out chain & set acces to yr app ( reroute whole traffic thru one chain) ? and u filter the chain :D do u know how read packet header ? basics -> iptables is a firewall itself - so u need redirect all trafic & filter it like any other firewalls are operating on network interace (hooking into it as a driver)

[E3V3A]

@CHEF-KOCH I think your previous explanation here is extremely important for most users to know about. (And thank you for those details.) So perhaps it would be a good idea to put some of these items on the front page?

[duud]

Still have no time to debug this properly but here is some more information. UID of the process is 1000/setupwizard, I did a tcpdump and judging by the DNS request made before establishing the connection I think this connection is established in order to test whether the device has internet access. I think this is related to androids code part which shows an exclamation mark on the wifi-symbol if the device has no internet access. As I mentioned above afwalls init script isn't executed properly on cm12.1 due to selinux restrictions, this seems to be the issue here

[duud]

Chainfires su is closed source, I don't want to install a closed source su binary, so I can't test this