G'day
I am interested in setting up a basic firewall using Droidwall scripts just a simple block inbound and allow outbound rules but I am not sure as how I would set this up instead of using the white/black list feature
Cheers
Think I'll just stick to the basic white/black list mode.
Thread Died I don't think there is much documentation on Droidwall scripts
Droidwall still the best Firewall
WCL1990 said:
Thread Died
Click to expand...
Click to collapse
RISE. RISE AGAIN.
Droidwall still the best.
OP. What do you really want to do?
Say I wanted to have the most secure Sony Xperia Z Ultra possible (without "too much" sacrifice of useability).
In the context of this thread I define security as broadly anything barring network anonymity ie. hiding your device public IP address.
So I want security from network attackers (eg. drive-by download, WiFi attacks), physical device attackers (eg. customs searching devices for IP violations ... no really, that's about to become a thing apparently, GF and/or mistresses) .
How would you do it?
Could you please use sections of
Code:
firmware
phone settings
app settings
behavior
because I want to curate the best answers from users in this post for the good of the forum.
My thoughts so far are:
Firmware:
Root is disabled
Bootloader should be locked.
^^ These I'm not sure about - see if we don't have root then we don't have iptable firewall and hosts level server blocking.
One recovery should be used
Honestly I'm not sure which ROM is more secure than another but I'm assuming the latest and greatest is more secure so that would be MM atm. No idea if Sony is more secure than another flavour of ZU Android.
Phone settings:
Developer options off
Sideload apps off
Do not connect to unknown WiFi
NFC Off by default
Bluetooth Off by default
PIN unlock required
Auto-lock ON
App settings: (this includes apps you should have/not have and their settings)
I figure every additional app that I don't use is a needless attack surface so start with no apps at all - uninstall everything. Only install what you use ... for which you need root unless the ROM is premade like this.
Firewall app (Netguard no-root Firewall, DroidWall if we have root)
Adblock (if we have root)
AV - honestly most mobile AV seems pathetic at being secure and not acting like malware (notifications, popup windows etc) but Avast at least seems to not hog resources.
-Auto update every app
User behaviour:
NEVER:
-install apps from anywhere other than Google Play. Or possibly FDroid
-let another person use your device
I'd like to hear your suggestions, critique and everything else, cheers!
So you're not gonna install from other than google play, then what ad blocker are you going to use? Where is adblocker connecting to?
You're talking about still having a lot of apps connecting through servers that you don't control.
morestupidemailnames said:
You're talking about still having a lot of apps connecting through servers that you don't control.
Click to expand...
Click to collapse
Well if you are worried about connecting to servers that you dont control - isnt that all servers?
At which point you may as well remove all WIFI and Mobile Data capabilities and just stick to 2G
panyan said:
Well if you are worried about connecting to servers that you dont control - isnt that all servers?
At which point you may as well remove all WIFI and Mobile Data capabilities and just stick to 2G
Click to expand...
Click to collapse
Exactly my point.
The op is a long winded question that leaves you with more questions.
Probably why there's been such a landslide of security tips here
TL,DR: the possibility to control permissions in apps are one of the most important advantages of rooting (in my opinion).
Seeing that App Settings is somewhat being underestimated, let’s talk about the powerful permission manager that it has.
I think that permission management alone is one of the most important things of rooting. The possibility to control what permissions grant to apps, besides what Google wants you to be able to control in Android, is absolutely critical for a power user.
Let’s see some examples. Right now everything is “free” because telemetry and you being “the product” for companies... You can be OK with that if you want to. But where did you accept that EVERYTHING in your cell phone should have ads? I don’t remember accepting that... Well, thanks to rooting + AdAway + some browsers and user permission management, you can have a ad-free cell phone (really) and with more battery life, less background internet usage and faster because you can stop every app for syncing constantly because of ads...
There was a time when almost the only app that could do effectively permissions management for rooted cellphones was Stericson’s “Permissions Denied”. The problem was that you needed to restart your Android System everytime you changed permissions, and in later Android and the app versions it was being less stable and effective.
With the great xPosed everything changed. Now you have some modules that took over that advantage. Some of them are: xPrivacy, Permissions Master, and App Settings.
In my humble opinion, xPrivacy works as a some sort of “permissions firewall”. It has deep control of some aspects, but at the cost of too many things to pay attention to, and resources of the system.
The approach of Permissions Denied / Permissions Master and App Settings is that them work similar of controlling permissions as if you control some Internet connections in Windows systems with the “hosts file”.
You can select from available permissions and, for example, control and deny Internet access completely to an app. Android permissions management won’t allow you to stop an app from connecting to Internet altogether, because of ads.
If some “ruler app” for example, claims that is “free” and “ad free”, whatever reason... Why should it connect to Internet, have access to your contacts, etc.? Let’s imagine that you still want to use that app, but you don’t want it to connect to Internet. Solution? App Settings!!!
And the advantage of App Settings is that it works in real time. If you change some permission for an app and it stop working, you can reverse that, and it works almost instantly. Permissions Master is similar, but some changes won’t stick denying permissions to apps.
I simply can’t believe that the rooting community, with XDA being one of the greatest forums about Android tuning, is letting App Settings fade away.
So, consider this just a reminder that being able to control fast, and effectively ALL the permissions that apps use in your Android System is one big advantage that deserves to not disappear, if we still care for rooting and user controlling what the apps in your system are doing.
One last thing, another example of permissions to control in your Android are: what apps should start after booting, what apps should keep working in the background, which ones should access your contacts... etc.
With App Settings you can control all that and more, in a fast, effective and easy way. I love Firefox, but I don’t want it to start while Android boots, or be able to access my camera (I don’t use Firefox for any camera related thing), etc.
You can’t do that at the same level with Android permissions management. It just let you control stuff that won’t go against ad industry. It’s understandable, but Google won’t be harmed by the minority of us that just want to be able to control which apps should connect to Internet and which ones shouldn’t...
I would love to contribute to Apps Settings development, but sadly coding isn't one of my capabilities. This thread wasn't intended to explain to the great and brilliant community of XDA what App Settings do (you already know), it just a general description for everyone and try to keep the user permissions management in spotlight.
If you reached here, thank you for reading!
Sorry for my english, it’s not my native language.
I can't root every device. But everyone needs both these 2 things at once on their device:
1. stuff like your keyboard app should never ever talk to the internet.
2. you need a vpn (also with dns and possibly tracker protection)
Android on all the popular devices famously does not let users deny the internet permission per app (it is a general always active permission)
You can also not use 2 "vpn" services at the same time.
If you're not rooted, you can't use iptables (so you can't use stuff like Afwall). -- correct me if I'm wrong and you have a godlike workaround
Most firewalls are just using android's "vpn" function. (e.g. netguard)
But we need the VPN for the actual VPN.
The only VPN app that also has a builtin firewall, is Adguard VPN. But it is too sketchy for my liking as reported here. It logs when and how much you use the vpn (which is equivalent to a fingerprint), their code was not audited, is closed source, and they are neither on fdroid nor on the paystore.
Does anyone know of any alternatives? I tried protonvpn and privateinternetaccess and blokada plus, but none of them have a firewall (you can bypass the vpn per app, but you can't block the app's internet).
I would gladly pay big bucks for a solution; seriously. Thanks.
PS: Don't suggest using a pihole or a router based VPN because I don't have that when I'm not home so that's == 0.
NetGuard perhaps...
https://netguard.me/
[CLOSED][APP][6.0+] NetGuard - No-root firewall
NetGuard provides simple and advanced ways to block access to the internet - no root required. Applications and addresses can individually be allowed or denied access to your Wi-Fi and/or mobile connection. Blocking access to the internet can...
forum.xda-developers.com
craigacgomez said:
NetGuard perhaps...
https://netguard.me/
[CLOSED][APP][6.0+] NetGuard - No-root firewall
NetGuard provides simple and advanced ways to block access to the internet - no root required. Applications and addresses can individually be allowed or denied access to your Wi-Fi and/or mobile connection. Blocking access to the internet can...
forum.xda-developers.com
Click to expand...
Click to collapse
m8, netguard is a "vpn" firewall. Hence you can't use netguard and also e.g. protonVPN at the same time. That is why I asked if anyone knows of an actual VPN app that happens to also have a builtin firewall. Adguard VPN is one example.
Twodordan said:
m8, netguard is a "vpn" firewall. Hence you can't use netguard and also e.g. protonVPN at the same time.
Click to expand...
Click to collapse
A VPN based solution is the only one that can work without root. There is no other non-root way to control the network other than to route it through a VPN.
In OpenVPN for Android you can, while setting up a profile, select which apps should be excluded from the VPN, and disallow apps to bypass the VPN at the same time. That should do the trick.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
craigacgomez said:
A VPN based solution is the only one that can work without root. There is no other non-root way to control the network other than to route it through a VPN.
Click to expand...
Click to collapse
Like I said, Adguard has in its VPN, a firewall and a vpn and a privacy shield all in one. It's fine that the firewall uses the vpn solution, as long as it is merged within an actual VPN app. This is what I was asking: Are there any vpn apps that also have firewall?
heinhuiz said:
In OpenVPN for Android you can, while setting up a profile, select which apps should be excluded from the VPN, and disallow apps to bypass the VPN at the same time. That should do the trick.
View attachment 5486079
Click to expand...
Click to collapse
You have not paid attention to what I am asking. I asked if anyone knows of any app that has both vpn and firewall.
I obviously don't want to make my system LESS SECURE by allowing apps to NOT USE VPN. Plus, every vpn app under the sun has a split tunnel feature that allows apps to bypass the vpn.
Twodordan said:
You have not paid attention to what I am asking. I asked if anyone knows of any app that has both vpn and firewall.
I obviously don't want to make my system LESS SECURE by allowing apps to NOT USE VPN. Plus, every vpn app under the sun has a split tunnel feature that allows apps to bypass the vpn.
Click to expand...
Click to collapse
You have not paid attention to what I am answering. I tell you that OpenVPN for Android lets you to select which apps you don't allow to use the VPN and AT THE SAME TIME (yes, I can YELL too) disallow apps to bypass the VPN. That results in those apps effectively being blocked from the Internet, true or not? If an app is not allowed to use the VPN and also not to bypass it, then ...
2 - 1 - 1 = 0. Think before you write, mister.
Twodordan said:
Like I said, Adguard has in its VPN, a firewall and a vpn and a privacy shield all in one. It's fine that the firewall uses the vpn solution, as long as it is merged within an actual VPN app. This is what I was asking: Are there any vpn apps that also have firewall?
Click to expand...
Click to collapse
So, you are looking for a VPN service that has firewall capabilities? I don't think I've seen one in the wild. Some security software providers might have this feature, but I can't verify that.
And alternative solution might be to use a local proxy server with rules to block apps from the internet which would allow you to use any VPN service you would like.
NetPatch Firewall
Full control over your network - One advanced android NoRoot firewall
netpatch.github.io
Block ads globally like this...
Concerned for the tone of the conversation here, I'll offer up THIS for your considerations.
Not to discount any previous suggestions, it is just the one that I use... sometimes... for some devices... for some reason... I'll wait in the shadows for the lashings.
heinhuiz said:
You have not paid attention to what I am answering. I tell you that OpenVPN for Android lets you to select which apps you don't allow to use the VPN and AT THE SAME TIME (yes, I can YELL too) disallow apps to bypass the VPN. That results in those apps effectively being blocked from the Internet, true or not? If an app is not allowed to use the VPN and also not to bypass it, then ...
2 - 1 - 1 = 0. Think before you write, mister.
Click to expand...
Click to collapse
Sorry I 100% thought if you tell an app to bypass the vpn, it bypasses the vpn, regardless of the generic setting of forcing apps to use vpn. I will experiment with this. And sorry for my harshness, my luck on forums lately was usually ppl answering the opposite of what I asked.
I will try actually to use my vpn app, set it to exclude an app from vpn, and then tell Android itself in the VPN settings to "block connections without VPN". Assuming Android's vpn switch doesn't leak (e.g. at startup or smth), that might do the trick.
Unfortunately openVPN doesn't work super well nowadays because most vpn providers chose to develop their own app / wrapper and no longer provide good openVPN guides (especially since their servers / configs change often, a static openvpn config doesn't cut it anymore). Even in linux I just use "the app" instead of openvpn configs.
Anyway, thanks I'll test soon
This isn't a practical / good solution at all for most people, because:
- you will need some apps to use the internet without a vpn (because they don't work with vpn etc)
- if you ever need to turn off your vpn globally and access the internet, say your subscription died or you just can't connect, then your "firewall" is nullified.
It's an all or nothing solution.
heinhuiz said:
Twodordan said:
This isn't a practical / good solution at all for most people, because:
- you will need some apps to use the internet without a vpn (because they don't work with vpn etc)
- if you ever need to turn off your vpn globally and access the internet, say your subscription died or you just can't connect, then your "firewall" is nullified.
It's an all or nothing solution.
Click to expand...
Click to collapse
You have not paid attention to what I am answering. I tell you that OpenVPN for Android lets you to select which apps you don't allow to use the VPN and AT THE SAME TIME (yes, I can YELL too) disallow apps to bypass the VPN. That results in those apps effectively being blocked from the Internet, true or not? If an app is not allowed to use the VPN and also not to bypass it, then ...
2 - 1 - 1 = 0. Think before you write, mister.
Click to expand...
Click to collapse
Unfortunately that's not a solution. There are many apps that need to bypass VPN while still being able to connect to Internet, like banking apps.
While I can always just turn off the VPN before using such apps, that would also turn off the firewall feature, right? Going by that logic, I can always just turn off the Internet before using any app I want to disallow from accessing to Internet.
It kills multitasking, not that Android has much multitasking capability to begin with...sadly.
sbcontt said:
Unfortunately that's not a solution. There are many apps that need to bypass VPN while still being able to connect to Internet, like banking apps.
While I can always just turn off the VPN before using such apps, that would also turn off the firewall feature, right? Going by that logic, I can always just turn off the Internet before using any app I want to disallow from accessing to Internet.
It kills multitasking, not that Android has much multitasking capability to begin with...sadly.
Click to expand...
Click to collapse
If you want certain apps to use the Internet while you are connected through a VPN, you should sandbox them inside a Work Profile. Depending on your ROM, you might need an app like Island or Shelter to create that separated environment. This way you can use all your normal apps in the main profile with the VPN running, and those apps that need it can connect directly from the work environment. Mind that the apps in the different profiles cannot see each other, which can be a privacy bonus but also makes collaboration between them slightly more complex.
heinhuiz said:
If you want certain apps to use the Internet while you are connected through a VPN, you should sandbox them inside a Work Profile. Depending on your ROM, you might need an app like Island or Shelter to create that separated environment. This way you can use all your normal apps in the main profile with the VPN running, and those apps that need it can connect directly from the work environment. Mind that the apps in the different profiles cannot see each other, which can be a privacy bonus but also makes collaboration between them slightly more complex.
Click to expand...
Click to collapse
Had no idea work profile has its own VPN slot. Thx for the suggestion. The setup is working pretty smoothoy. Only concern: work profile apps can't automatically read OTP. So far, all the apps I use allow manually entering OTP. Hopefully it would be an issue. Also, I can't disable notifications of work profile apps by categories. It is either all or none.