Mobile Data Limit bypassing AF rules on some devices #9

skullone · 2013-01-09T17:28:26Z

Currently investigating reports of this issue. Mobile Data limit does not break my Galaxy Nexus (toro) so further information is needed.

mikeymcmikenson · 2013-01-17T04:00:40Z

Mobile Data Limit breaks the AFon my Droid Razr Maxx running rooted stock 4.0.4. Turning off Mobile Data Limit re-enables firewall after I re-"apply rules" in AF

skullone · 2013-01-17T12:00:16Z

Mikey,

I need some extra information from you.

Install terminal emulator if you don't already have it. You can get it
off the Play Store here:
https://play.google.com/store/apps/details?id=jackpal.androidterm
Disable Mobile Data Limit.
Enable the firewall.
4 Open terminal emulator.
Type su and hit enter. Terminal emulator will ask for root access.
Grant it root access.
type iptables -L and hit enter. Send me that output. Terminal
Emulator has the ability to send that information through e-mail.
Enable Mobile Data Limit.
Repeat step 6.

Thanks!

-Jason

On Wed, Jan 16, 2013 at 11:00 PM, mikeymcmikenson
notifications@github.comwrote:

Mobile Data Limit breaks the AFon my Droid Razr Maxx running rooted stock
4.0.4. Turning off Mobile Data Limit re-enables firewall after I re-"apply
rules" in AF

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/9#issuecomment-12353547.

mikeymcmikenson · 2013-01-20T00:10:04Z

Jason,

Here you go. The first iptables is without mobile data little enabled and the second is with mobile data limit enabled.

Mike

Qapp_210@cdma_spyder:/ $ su
root@cdma_spyder:/ # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
all -- anywhere anywhere ! quota globalAlert: 2097152 bytes
ACCEPT all -- anywhere anywhere
all -- anywhere anywhere owner socket exists

Chain FORWARD (policy DROP)
target prot opt source destination
oem_fwd all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
all -- anywhere anywhere ! quota globalAlert: 2097152 bytes
oem_out all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
all -- anywhere anywhere owner socket exists
droidwall all -- anywhere anywhere

Chain costly_shared (0 references)
target prot opt source destination
penalty_box all -- anywhere anywhere
all -- anywhere anywhere owner socket exists
ACCEPT all -- anywhere anywhere

Chain droidwall (1 references)
target prot opt source destination
FIX ME! implement getprotobynumber() bionic/libc/bionic/stubs.c:456
RETURN udp -- anywhere anywhere owner UID match root udp dpt:domain
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-wifi all -- anywhere anywhere
droidwall-wifi all -- anywhere anywhere
droidwall-wifi all -- anywhere anywhere
droidwall-wifi all -- anywhere anywhere
droidwall-wifi all -- anywhere anywhere
droidwall-wifi all -- anywhere anywhere

Chain droidwall-3g (17 references)
target prot opt source droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere droidwall-reject all -- anywhere destination
anywhere owner UID match app_109
anywhere owner UID match app_154
anywhere owner UID match app_94
anywhere owner UID match app_95
anywhere owner UID match app_55
anywhere owner UID match app_92
anywhere owner UID match app_210
anywhere owner UID match app_192
anywhere owner UID match app_204
anywhere owner UID match app_197
anywhere owner UID match app_84
anywhere owner UID match app_201
anywhere owner UID match app_75
anywhere owner UID match app_52
anywhere owner UID match app_53
anywhere owner UID match app_168
anywhere owner UID match app_161
anywhere owner UID match app_17
anywhere owner UID match app_110
anywhere owner UID match app_163
anywhere owner UID match app_80
anywhere owner UID match app_165
anywhere owner UID match app_120
anywhere owner UID match app_164
anywhere owner UID match app_200
anywhere owner UID match app_31
anywhere owner UID match app_68
anywhere owner UID match app_134

Chain droidwall-reject (55 references)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain droidwall-wifi (6 references)
target prot opt source destination
droidwall-reject all -- anywhere anywhere owner UID match app_134
droidwall-reject all -- anywhere anywhere owner UID match app_68
droidwall-reject all -- anywhere anywhere owner UID match app_31
droidwall-reject all -- anywhere anywhere owner UID match app_200
droidwall-reject all -- anywhere anywhere owner UID match app_164
droidwall-reject all -- anywhere anywhere owner UID match app_120
droidwall-reject all -- anywhere anywhere owner UID match app_165
droidwall-reject all -- anywhere anywhere owner UID match app_80
droidwall-reject all -- anywhere anywhere owner UID match app_163
droidwall-reject all -- anywhere anywhere owner UID match app_17
droidwall-reject all -- anywhere anywhere owner UID match app_161
droidwall-reject all -- anywhere anywhere owner UID match app_168
droidwall-reject all -- anywhere anywhere owner UID match app_53
droidwall-reject all -- anywhere anywhere owner UID match app_52
droidwall-reject all -- anywhere anywhere owner UID match app_75
droidwall-reject all -- anywhere anywhere owner UID match app_201
droidwall-reject all -- anywhere anywhere owner UID match app_84
droidwall-reject all -- anywhere anywhere owner UID match app_197
droidwall-reject all -- anywhere anywhere owner UID match app_204
droidwall-reject all -- anywhere anywhere owner UID match app_192
droidwall-reject all -- anywhere anywhere owner UID match app_210
droidwall-reject all -- anywhere anywhere owner UID match app_92
droidwall-reject all -- anywhere anywhere owner UID match app_55
droidwall-reject all -- anywhere anywhere owner UID match app_95
droidwall-reject all -- anywhere anywhere owner UID match app_94
droidwall-reject all -- anywhere anywhere owner UID match app_154
droidwall-reject all -- anywhere anywhere owner UID match app_109

Chain oem_fwd (1 references)
target prot opt source destination
FIX ME! implement getnetbyaddr() bionic/libc/bionic/stubs.c:444
REJECT all -- anywhere 192.168.157.2 reject-with icmp-port-unreachable

Chain oem_out (1 references)
target prot opt source destination
FIX ME! implement getnetbyaddr() bionic/libc/bionic/stubs.c:444
oem_out_wrigley all -- anywhere 192.168.157.2

Chain oem_out_wrigley (1 references)
target prot opt source destination
FIX ME! implement getprotobynumber() bionic/libc/bionic/stubs.c:456
oem_out_wrigley_sens tcp -- anywhere anywhere tcp dpt:3265
FIX ME! implement getprotobynumber() bionic/libc/bionic/stubs.c:456
oem_out_wrigley_sens tcp -- anywhere anywhere tcp dpt:3267
FIX ME! implement getprotobynumber() bionic/libc/bionic/stubs.c:456
oem_out_wrigley_sens tcp -- anywhere anywhere tcp dpt:11000
oem_out_wrigley_other all -- anywhere anywhere

Chain oem_out_wrigley_other (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere owner UID match root
ACCEPT all -- anywhere anywhere owner UID match radio
ACCEPT all -- anywhere anywhere owner UID match log
ACCEPT all -- anywhere anywhere owner UID match shell
ACCEPT all -- anywhere anywhere owner UID match mot_tcmd
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain oem_out_wrigley_sens (3 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere owner UID match root
ACCEPT all -- anywhere anywhere owner UID match radio
ACCEPT all -- anywhere anywhere owner UID match mot_tcmd
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain penalty_box (1 references)
target prot opt source destination
REJECT all -- anywhere anywhere owner UID match app_205 reject-with icmp-net-prohibited
REJECT all -- anywhere anywhere owner UID match app_197 reject-with icmp-net-prohibited
REJECT all -- anywhere anywhere owner UID match app_196 reject-with icmp-net-prohibited
REJECT all -- anywhere anywhere owner UID match app_190 reject-with icmp-net-prohibited
REJECT all -- anywhere anywhere owner UID match app_175 reject-with icmp-net-prohibited
REJECT all -- anywhere anywhere owner UID match app_168 reject-with icmp-net-prohibited
REJECT all -- anywhere anywhere owner UID match app_125 reject-with icmp-net-prohibited
root@cdma_spyder:/ # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
all -- anywhere anywhere ! quota globalAlert: 2097152 bytes
costly_rmnet1 all -- anywhere anywhere [goto]
costly_rmnet0 all -- anywhere anywhere [goto]
ACCEPT all -- anywhere anywhere
all -- anywhere anywhere owner socket exists

Chain FORWARD (policy DROP)
target prot opt source destination
oem_fwd all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
all -- anywhere anywhere ! quota globalAlert: 2097152 bytes
costly_rmnet1 all -- anywhere anywhere [goto]
costly_rmnet0 all -- anywhere anywhere [goto]
oem_out all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
all -- anywhere anywhere owner socket exists
droidwall all -- anywhere anywhere

Chain costly_rmnet0 (2 references)
target prot opt source destination
REJECT all -- anywhere anywhere ! quota rmnet0: 3813511388 bytes reject-with icmp-net-prohibited
penalty_box all -- anywhere anywhere
all -- anywhere anywhere owner socket exists
ACCEPT all -- anywhere anywhere

Chain costly_rmnet1 (2 references)
target prot opt source destination
REJECT all -- anywhere anywhere ! quota rmnet1: 3813511388 bytes reject-with icmp-net-prohibited
penalty_box all -- anywhere anywhere
all -- anywhere anywhere owner socket exists
ACCEPT all -- anywhere anywhere

Chain costly_shared (0 references)
target prot opt source destination
penalty_box all -- anywhere anywhere
all -- anywhere anywhere owner socket exists
ACCEPT all -- anywhere anywhere

Chain droidwall (1 references)
target prot opt source destination
FIX ME! implement getprotobynumber() bionic/libc/bionic/stubs.c:456
RETURN udp -- anywhere anywhere owner UID match root udp dpt:domain
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-wifi all -- anywhere anywhere
droidwall-wifi all -- anywhere anywhere
droidwall-wifi all -- anywhere anywhere
droidwall-wifi all -- anywhere anywhere
droidwall-wifi all -- anywhere anywhere
droidwall-wifi all -- anywhere anywhere

Chain droidwall-3g (17 references)
target prot opt source destination
droidwall-reject all -- anywhere anywhere owner UID match app_109
droidwall-reject all -- anywhere anywhere owner UID match app_154
droidwall-reject all -- anywhere anywhere owner UID match app_94
droidwall-reject all -- anywhere anywhere owner UID match app_95
droidwall-reject all -- anywhere anywhere owner UID match app_55
droidwall-reject all -- anywhere anywhere owner UID match app_92
droidwall-reject all -- anywhere anywhere owner UID match app_210
droidwall-reject all -- anywhere anywhere owner UID match app_192
droidwall-reject all -- anywhere anywhere owner UID match app_204
droidwall-reject all -- anywhere anywhere owner UID match app_197
droidwall-reject all -- anywhere anywhere owner UID match app_84
droidwall-reject all -- anywhere anywhere owner UID match app_201
droidwall-reject all -- anywhere anywhere owner UID match app_75
droidwall-reject all -- anywhere anywhere owner UID match app_52
droidwall-reject all -- anywhere anywhere owner UID match app_53
droidwall-reject all -- anywhere anywhere owner UID match app_168
droidwall-reject all -- anywhere anywhere owner UID match app_161
droidwall-reject all -- anywhere anywhere owner UID match app_17
droidwall-reject all -- anywhere anywhere owner UID match app_110
droidwall-reject all -- anywhere anywhere owner UID match app_163
droidwall-reject all -- anywhere anywhere owner UID match app_80
droidwall-reject all -- anywhere anywhere owner UID match app_165
droidwall-reject all -- anywhere anywhere owner UID match app_120
droidwall-reject all -- anywhere anywhere owner UID match app_164
droidwall-reject all -- anywhere anywhere owner UID match app_200
droidwall-reject all -- anywhere anywhere owner UID match app_31
droidwall-reject all -- anywhere anywhere owner UID match app_68
droidwall-reject all -- anywhere anywhere owner UID match app_134

Chain droidwall-reject (55 references)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain droidwall-wifi (6 references)
target prot opt source destination
droidwall-reject all -- anywhere anywhere owner UID match app_134
droidwall-reject all -- anywhere anywhere owner UID match app_68
droidwall-reject all -- anywhere anywhere owner UID match app_31
droidwall-reject all -- anywhere anywhere owner UID match app_200
droidwall-reject all -- anywhere anywhere owner UID match app_164
droidwall-reject all -- anywhere anywhere owner UID match app_120
droidwall-reject all -- anywhere anywhere owner UID match app_165
droidwall-reject all -- anywhere anywhere owner UID match app_80
droidwall-reject all -- anywhere anywhere owner UID match app_163
droidwall-reject all -- anywhere anywhere owner UID match app_17
droidwall-reject all -- anywhere anywhere owner UID match app_161
droidwall-reject all -- anywhere anywhere owner UID match app_168
droidwall-reject all -- anywhere anywhere owner UID match app_53
droidwall-reject all -- anywhere anywhere owner UID match app_52
droidwall-reject all -- anywhere anywhere owner UID match app_75
droidwall-reject all -- anywhere anywhere owner UID match app_201
droidwall-reject all -- anywhere anywhere owner UID match app_84
droidwall-reject all -- anywhere anywhere owner UID match app_197
droidwall-reject all -- anywhere anywhere owner UID match app_204
droidwall-reject all -- anywhere anywhere owner UID match app_192
droidwall-reject all -- anywhere anywhere owner UID match app_210
droidwall-reject all -- anywhere anywhere owner UID match app_92
droidwall-reject all -- anywhere anywhere owner UID match app_55
droidwall-reject all -- anywhere anywhere owner UID match app_95
droidwall-reject all -- anywhere anywhere owner UID match app_94
droidwall-reject all -- anywhere anywhere owner UID match app_154
droidwall-reject all -- anywhere anywhere owner UID match app_109

Chain oem_fwd (1 references)
target prot opt source destination
FIX ME! implement getnetbyaddr() bionic/libc/bionic/stubs.c:444
REJECT all -- anywhere 192.168.157.2 reject-with icmp-port-unreachable

Chain oem_out (1 references)
target prot opt source destination
FIX ME! implement getnetbyaddr() bionic/libc/bionic/stubs.c:444
oem_out_wrigley all -- anywhere 192.168.157.2

Chain oem_out_wrigley (1 references)
target prot opt source destination
FIX ME! implement getprotobynumber() bionic/libc/bionic/stubs.c:456
oem_out_wrigley_sens tcp -- anywhere anywhere tcp dpt:3265
FIX ME! implement getprotobynumber() bionic/libc/bionic/stubs.c:456
oem_out_wrigley_sens tcp -- anywhere anywhere tcp dpt:3267
FIX ME! implement getprotobynumber() bionic/libc/bionic/stubs.c:456
oem_out_wrigley_sens tcp -- anywhere anywhere tcp dpt:11000
oem_out_wrigley_other all -- anywhere anywhere

Chain oem_out_wrigley_other (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere owner UID match root
ACCEPT all -- anywhere anywhere owner UID match radio
ACCEPT all -- anywhere anywhere owner UID match log
ACCEPT all -- anywhere anywhere owner UID match shell
ACCEPT all -- anywhere anywhere owner UID match mot_tcmd
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain oem_out_wrigley_sens (3 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere owner UID match root
ACCEPT all -- anywhere anywhere owner UID match radio
ACCEPT all -- anywhere anywhere owner UID match mot_tcmd
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain penalty_box (3 references)
target prot opt source destination
REJECT all -- anywhere anywhere owner UID match app_205 reject-with icmp-net-prohibited
REJECT all -- anywhere anywhere owner UID match app_197 reject-with icmp-net-prohibited
REJECT all -- anywhere anywhere owner UID match app_196 reject-with icmp-net-prohibited
REJECT all -- anywhere anywhere owner UID match app_190 reject-with icmp-net-prohibited
REJECT all -- anywhere anywhere owner UID match app_175 reject-with icmp-net-prohibited
REJECT all -- anywhere anywhere owner UID match app_168 reject-with icmp-net-prohibited
REJECT all -- anywhere anywhere owner UID match app_125 reject-with icmp-net-prohibited
root@cdma_spyder:/ #

-----Original Message-----

From: Jason Tschohl
Sent: 17 Jan 2013 12:00:19 GMT
To: skullone/android_firewall
Cc: mikeymcmikenson
Subject: Re: [android_firewall] Mobile Data Limit bypassing AF rules on some devices (#9)

Mikey,

I need some extra information from you.

Install terminal emulator if you don't already have it. You can get it
off the Play Store here:
https://play.google.com/store/apps/details?id=jackpal.androidterm
Disable Mobile Data Limit.
Enable the firewall.
4 Open terminal emulator.
Type su and hit enter. Terminal emulator will ask for root access.
Grant it root access.
type iptables -L and hit enter. Send me that output. Terminal
Emulator has the ability to send that information through e-mail.
Enable Mobile Data Limit.
Repeat step 6.

Thanks!

-Jason

On Wed, Jan 16, 2013 at 11:00 PM, mikeymcmikenson
notifications@github.comwrote:

Mobile Data Limit breaks the AFon my Droid Razr Maxx running rooted stock
4.0.4. Turning off Mobile Data Limit re-enables firewall after I re-"apply
rules" in AF

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/9#issuecomment-12353547.

Reply to this email directly or view it on GitHub:
#9 (comment)

skullone · 2013-01-20T01:00:38Z

Thanks Mikey. That's what I'm looking for.

Can you send me the output from this command as well? Same way you did the
other one. So I need the data with the firewall enabled and data limit on
and data limit off.

iptables --list OUTPUT --verbose

Thanks!

-Jason

On Sat, Jan 19, 2013 at 7:10 PM, mikeymcmikenson
notifications@github.comwrote:

Jason,

Here you go. The first iptables is without mobile data little enabled and
the second is with mobile data limit enabled.

Mike

Qapp_210@cdma_spyder:/ $ su
root@cdma_spyder:/ # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
all -- anywhere anywhere ! quota globalAlert: 2097152 bytes
ACCEPT all -- anywhere anywhere
all -- anywhere anywhere owner socket exists

Chain FORWARD (policy DROP)
target prot opt source destination
oem_fwd all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
all -- anywhere anywhere ! quota globalAlert: 2097152 bytes
oem_out all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
all -- anywhere anywhere owner socket exists
droidwall all -- anywhere anywhere

Chain costly_shared (0 references)
target prot opt source destination
penalty_box all -- anywhere anywhere
all -- anywhere anywhere owner socket exists
ACCEPT all -- anywhere anywhere

Chain droidwall (1 references)
target prot opt source destination
FIX ME! implement getprotobynumber() bionic/libc/bionic/stubs.c:456
RETURN udp -- anywhere anywhere owner UID match root udp dpt:domain
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-wifi all -- anywhere anywhere
droidwall-wifi all -- anywhere anywhere
droidwall-wifi all -- anywhere anywhere
droidwall-wifi all -- anywhere anywhere
droidwall-wifi all -- anywhere anywhere
droidwall-wifi all -- anywhere anywhere

Chain droidwall-3g (17 references)
target prot opt source destination
droidwall-reject all -- anywhere anywhere owner UID match app_109
droidwall-reject all -- anywhere anywhere owner UID match app_154
droidwall-reject all -- anywhere anywhere owner UID match app_94
droidwall-reject all -- anywhere anywhere owner UID match app_95
droidwall-reject all -- anywhere anywhere owner UID match app_55
droidwall-reject all -- anywhere anywhere owner UID match app_92
droidwall-reject all -- anywhere anywhere owner UID match app_210
droidwall-reject all -- anywhere anywhere owner UID match app_192
droidwall-reject all -- anywhere anywhere owner UID match app_204
droidwall-reject all -- anywhere anywhere owner UID match app_197
droidwall-reject all -- anywhere anywhere owner UID match app_84
droidwall-reject all -- anywhere anywhere owner UID match app_201
droidwall-reject all -- anywhere anywhere owner UID match app_75
droidwall-reject all -- anywhere anywhere owner UID match app_52
droidwall-reject all -- anywhere anywhere owner UID match app_53
droidwall-reject all -- anywhere anywhere owner UID match app_168
droidwall-reject all -- anywhere anywhere owner UID match app_161
droidwall-reject all -- anywhere anywhere owner UID match app_17
droidwall-reject all -- anywhere anywhere owner UID match app_110
droidwall-reject all -- anywhere anywhere owner UID match app_163
droidwall-reject all -- anywhere anywhere owner UID match app_80
droidwall-reject all -- anywhere anywhere owner UID match app_165
droidwall-reject all -- anywhere anywhere owner UID match app_120
droidwall-reject all -- anywhere anywhere owner UID match app_164
droidwall-reject all -- anywhere anywhere owner UID match app_200
droidwall-reject all -- anywhere anywhere owner UID match app_31
droidwall-reject all -- anywhere anywhere owner UID match app_68
droidwall-reject all -- anywhere anywhere owner UID match app_134

Chain droidwall-reject (55 references)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain droidwall-wifi (6 references)
target prot opt source destination
droidwall-reject all -- anywhere anywhere owner UID match app_134
droidwall-reject all -- anywhere anywhere owner UID match app_68
droidwall-reject all -- anywhere anywhere owner UID match app_31
droidwall-reject all -- anywhere anywhere owner UID match app_200
droidwall-reject all -- anywhere anywhere owner UID match app_164
droidwall-reject all -- anywhere anywhere owner UID match app_120
droidwall-reject all -- anywhere anywhere owner UID match app_165
droidwall-reject all -- anywhere anywhere owner UID match app_80
droidwall-reject all -- anywhere anywhere owner UID match app_163
droidwall-reject all -- anywhere anywhere owner UID match app_17
droidwall-reject all -- anywhere anywhere owner UID match app_161
droidwall-reject all -- anywhere anywhere owner UID match app_168
droidwall-reject all -- anywhere anywhere owner UID match app_53
droidwall-reject all -- anywhere anywhere owner UID match app_52
droidwall-reject all -- anywhere anywhere owner UID match app_75
droidwall-reject all -- anywhere anywhere owner UID match app_201
droidwall-reject all -- anywhere anywhere owner UID match app_84
droidwall-reject all -- anywhere anywhere owner UID match app_197
droidwall-reject all -- anywhere anywhere owner UID match app_204
droidwall-reject all -- anywhere anywhere owner UID match app_192
droidwall-reject all -- anywhere anywhere owner UID match app_210
droidwall-reject all -- anywhere anywhere owner UID match app_92
droidwall-reject all -- anywhere anywhere owner UID match app_55
droidwall-reject all -- anywhere anywhere owner UID match app_95
droidwall-reject all -- anywhere anywhere owner UID match app_94
droidwall-reject all -- anywhere anywhere owner UID match app_154
droidwall-reject all -- anywhere anywhere owner UID match app_109

Chain oem_fwd (1 references)
target prot opt source destination
FIX ME! implement getnetbyaddr() bionic/libc/bionic/stubs.c:444
REJECT all -- anywhere 192.168.157.2 reject-with icmp-port-unreachable

Chain oem_out (1 references)
target prot opt source destination
FIX ME! implement getnetbyaddr() bionic/libc/bionic/stubs.c:444
oem_out_wrigley all -- anywhere 192.168.157.2

Chain oem_out_wrigley (1 references)
target prot opt source destination
FIX ME! implement getprotobynumber() bionic/libc/bionic/stubs.c:456
oem_out_wrigley_sens tcp -- anywhere anywhere tcp dpt:3265
FIX ME! implement getprotobynumber() bionic/libc/bionic/stubs.c:456
oem_out_wrigley_sens tcp -- anywhere anywhere tcp dpt:3267
FIX ME! implement getprotobynumber() bionic/libc/bionic/stubs.c:456
oem_out_wrigley_sens tcp -- anywhere anywhere tcp dpt:11000
oem_out_wrigley_other all -- anywhere anywhere

Chain oem_out_wrigley_other (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere owner UID match root
ACCEPT all -- anywhere anywhere owner UID match radio
ACCEPT all -- anywhere anywhere owner UID match log
ACCEPT all -- anywhere anywhere owner UID match shell
ACCEPT all -- anywhere anywhere owner UID match mot_tcmd
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain oem_out_wrigley_sens (3 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere owner UID match root
ACCEPT all -- anywhere anywhere owner UID match radio
ACCEPT all -- anywhere anywhere owner UID match mot_tcmd
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain penalty_box (1 references)
target prot opt source destination
REJECT all -- anywhere anywhere owner UID match app_205 reject-with
icmp-net-prohibited
REJECT all -- anywhere anywhere owner UID match app_197 reject-with
icmp-net-prohibited
REJECT all -- anywhere anywhere owner UID match app_196 reject-with
icmp-net-prohibited
REJECT all -- anywhere anywhere owner UID match app_190 reject-with
icmp-net-prohibited
REJECT all -- anywhere anywhere owner UID match app_175 reject-with
icmp-net-prohibited
REJECT all -- anywhere anywhere owner UID match app_168 reject-with
icmp-net-prohibited
REJECT all -- anywhere anywhere owner UID match app_125 reject-with
icmp-net-prohibited
root@cdma_spyder:/ # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
all -- anywhere anywhere ! quota globalAlert: 2097152 bytes
costly_rmnet1 all -- anywhere anywhere [goto]
costly_rmnet0 all -- anywhere anywhere [goto]
ACCEPT all -- anywhere anywhere
all -- anywhere anywhere owner socket exists

Chain FORWARD (policy DROP)
target prot opt source destination
oem_fwd all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
all -- anywhere anywhere ! quota globalAlert: 2097152 bytes
costly_rmnet1 all -- anywhere anywhere [goto]
costly_rmnet0 all -- anywhere anywhere [goto]
oem_out all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
all -- anywhere anywhere owner socket exists
droidwall all -- anywhere anywhere

Chain costly_rmnet0 (2 references)
target prot opt source destination
REJECT all -- anywhere anywhere ! quota rmnet0: 3813511388 bytes
reject-with icmp-net-prohibited
penalty_box all -- anywhere anywhere
all -- anywhere anywhere owner socket exists
ACCEPT all -- anywhere anywhere

Chain costly_rmnet1 (2 references)
target prot opt source destination
REJECT all -- anywhere anywhere ! quota rmnet1: 3813511388 bytes
reject-with icmp-net-prohibited
penalty_box all -- anywhere anywhere
all -- anywhere anywhere owner socket exists
ACCEPT all -- anywhere anywhere

Chain costly_shared (0 references)
target prot opt source destination
penalty_box all -- anywhere anywhere
all -- anywhere anywhere owner socket exists
ACCEPT all -- anywhere anywhere

Chain droidwall (1 references)
target prot opt source destination
FIX ME! implement getprotobynumber() bionic/libc/bionic/stubs.c:456
RETURN udp -- anywhere anywhere owner UID match root udp dpt:domain
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-3g all -- anywhere anywhere
droidwall-wifi all -- anywhere anywhere
droidwall-wifi all -- anywhere anywhere
droidwall-wifi all -- anywhere anywhere
droidwall-wifi all -- anywhere anywhere
droidwall-wifi all -- anywhere anywhere
droidwall-wifi all -- anywhere anywhere

Chain droidwall-3g (17 references)
target prot opt source destination
droidwall-reject all -- anywhere anywhere owner UID match app_109
droidwall-reject all -- anywhere anywhere owner UID match app_154
droidwall-reject all -- anywhere anywhere owner UID match app_94
droidwall-reject all -- anywhere anywhere owner UID match app_95
droidwall-reject all -- anywhere anywhere owner UID match app_55
droidwall-reject all -- anywhere anywhere owner UID match app_92
droidwall-reject all -- anywhere anywhere owner UID match app_210
droidwall-reject all -- anywhere anywhere owner UID match app_192
droidwall-reject all -- anywhere anywhere owner UID match app_204
droidwall-reject all -- anywhere anywhere owner UID match app_197
droidwall-reject all -- anywhere anywhere owner UID match app_84
droidwall-reject all -- anywhere anywhere owner UID match app_201
droidwall-reject all -- anywhere anywhere owner UID match app_75
droidwall-reject all -- anywhere anywhere owner UID match app_52
droidwall-reject all -- anywhere anywhere owner UID match app_53
droidwall-reject all -- anywhere anywhere owner UID match app_168
droidwall-reject all -- anywhere anywhere owner UID match app_161
droidwall-reject all -- anywhere anywhere owner UID match app_17
droidwall-reject all -- anywhere anywhere owner UID match app_110
droidwall-reject all -- anywhere anywhere owner UID match app_163
droidwall-reject all -- anywhere anywhere owner UID match app_80
droidwall-reject all -- anywhere anywhere owner UID match app_165
droidwall-reject all -- anywhere anywhere owner UID match app_120
droidwall-reject all -- anywhere anywhere owner UID match app_164
droidwall-reject all -- anywhere anywhere owner UID match app_200
droidwall-reject all -- anywhere anywhere owner UID match app_31
droidwall-reject all -- anywhere anywhere owner UID match app_68
droidwall-reject all -- anywhere anywhere owner UID match app_134

Chain droidwall-reject (55 references)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain droidwall-wifi (6 references)
target prot opt source destination
droidwall-reject all -- anywhere anywhere owner UID match app_134
droidwall-reject all -- anywhere anywhere owner UID match app_68
droidwall-reject all -- anywhere anywhere owner UID match app_31
droidwall-reject all -- anywhere anywhere owner UID match app_200
droidwall-reject all -- anywhere anywhere owner UID match app_164
droidwall-reject all -- anywhere anywhere owner UID match app_120
droidwall-reject all -- anywhere anywhere owner UID match app_165
droidwall-reject all -- anywhere anywhere owner UID match app_80
droidwall-reject all -- anywhere anywhere owner UID match app_163
droidwall-reject all -- anywhere anywhere owner UID match app_17
droidwall-reject all -- anywhere anywhere owner UID match app_161
droidwall-reject all -- anywhere anywhere owner UID match app_168
droidwall-reject all -- anywhere anywhere owner UID match app_53
droidwall-reject all -- anywhere anywhere owner UID match app_52
droidwall-reject all -- anywhere anywhere owner UID match app_75
droidwall-reject all -- anywhere anywhere owner UID match app_201
droidwall-reject all -- anywhere anywhere owner UID match app_84
droidwall-reject all -- anywhere anywhere owner UID match app_197
droidwall-reject all -- anywhere anywhere owner UID match app_204
droidwall-reject all -- anywhere anywhere owner UID match app_192
droidwall-reject all -- anywhere anywhere owner UID match app_210
droidwall-reject all -- anywhere anywhere owner UID match app_92
droidwall-reject all -- anywhere anywhere owner UID match app_55
droidwall-reject all -- anywhere anywhere owner UID match app_95
droidwall-reject all -- anywhere anywhere owner UID match app_94
droidwall-reject all -- anywhere anywhere owner UID match app_154
droidwall-reject all -- anywhere anywhere owner UID match app_109

Chain oem_fwd (1 references)
target prot opt source destination
FIX ME! implement getnetbyaddr() bionic/libc/bionic/stubs.c:444
REJECT all -- anywhere 192.168.157.2 reject-with icmp-port-unreachable

Chain oem_out (1 references)
target prot opt source destination
FIX ME! implement getnetbyaddr() bionic/libc/bionic/stubs.c:444
oem_out_wrigley all -- anywhere 192.168.157.2

Chain oem_out_wrigley (1 references)
target prot opt source destination
FIX ME! implement getprotobynumber() bionic/libc/bionic/stubs.c:456
oem_out_wrigley_sens tcp -- anywhere anywhere tcp dpt:3265
FIX ME! implement getprotobynumber() bionic/libc/bionic/stubs.c:456
oem_out_wrigley_sens tcp -- anywhere anywhere tcp dpt:3267
FIX ME! implement getprotobynumber() bionic/libc/bionic/stubs.c:456
oem_out_wrigley_sens tcp -- anywhere anywhere tcp dpt:11000
oem_out_wrigley_other all -- anywhere anywhere

Chain oem_out_wrigley_other (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere owner UID match root
ACCEPT all -- anywhere anywhere owner UID match radio
ACCEPT all -- anywhere anywhere owner UID match log
ACCEPT all -- anywhere anywhere owner UID match shell
ACCEPT all -- anywhere anywhere owner UID match mot_tcmd
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain oem_out_wrigley_sens (3 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere owner UID match root
ACCEPT all -- anywhere anywhere owner UID match radio
ACCEPT all -- anywhere anywhere owner UID match mot_tcmd
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain penalty_box (3 references)
target prot opt source destination
REJECT all -- anywhere anywhere owner UID match app_205 reject-with
icmp-net-prohibited
REJECT all -- anywhere anywhere owner UID match app_197 reject-with
icmp-net-prohibited
REJECT all -- anywhere anywhere owner UID match app_196 reject-with
icmp-net-prohibited
REJECT all -- anywhere anywhere owner UID match app_190 reject-with
icmp-net-prohibited
REJECT all -- anywhere anywhere owner UID match app_175 reject-with
icmp-net-prohibited
REJECT all -- anywhere anywhere owner UID match app_168 reject-with
icmp-net-prohibited
REJECT all -- anywhere anywhere owner UID match app_125 reject-with
icmp-net-prohibited
root@cdma_spyder:/ #

-----Original Message-----

From: Jason Tschohl
Sent: 17 Jan 2013 12:00:19 GMT
To: skullone/android_firewall
Cc: mikeymcmikenson
Subject: Re: [android_firewall] Mobile Data Limit bypassing AF rules on
some devices (#9)

Mikey,

I need some extra information from you.

Install terminal emulator if you don't already have it. You can get it
off the Play Store here:
https://play.google.com/store/apps/details?id=jackpal.androidterm

Disable Mobile Data Limit.

Enable the firewall.
4 Open terminal emulator.

Type su and hit enter. Terminal emulator will ask for root access.
Grant it root access.

type iptables -L and hit enter. Send me that output. Terminal
Emulator has the ability to send that information through e-mail.

Enable Mobile Data Limit.

Repeat step 6.

Thanks!

-Jason

On Wed, Jan 16, 2013 at 11:00 PM, mikeymcmikenson
notifications@github.comwrote:

Mobile Data Limit breaks the AFon my Droid Razr Maxx running rooted
stock
4.0.4. Turning off Mobile Data Limit re-enables firewall after I
re-"apply
rules" in AF

�
Reply to this email directly or view it on GitHub<
https://github.com/skullone/android_firewall/issues/9#issuecomment-12353547>.

Reply to this email directly or view it on GitHub:
#9 (comment)

�
Reply to this email directly or view it on GitHubhttps://github.com//issues/9#issuecomment-12463630.

mikeymcmikenson · 2013-01-20T10:21:03Z

Mobile data limit on, then off:
(ps this is a problem that has existed since droidwall. I checked it too)

app_210@cdma_spyder:/ $ su
root@cdma_spyder:/ # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
all -- anywhere anywhere ! quota globalAlert: 2097152 bytes
ACCEPT all -- anywhere anywhere
all -- anywhere anywhere owner socket exists