-
Notifications
You must be signed in to change notification settings - Fork 447
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Per-app address filtering #15
Comments
Following Alex on this one, Would be good to add, for each application a black or white list of "accepted" or "non accepted" IPs, example : Black list mode : Access all IP BUT the ones listed : White list mode : Access no IP BUT the ones listed : |
I hope it's the right place to post my question, otherwise, excuse me and please, let me know where I can do it. But connecting my Windows PC to internet via tethering wifi hotspot (in order to use cellular data connection on my Samsung S2), misterious windows processes start in background downloading so many megabyte without inform me. Someone suggested me to turn off (into my pc) "windows update" and so on, but I'm not sure to identify all the processes involved in background downloads. So, I'd like to apply a server side filtering (thinking my smartphone as a server). May someone helps me? thanks in advance Federico |
You can use netfilter/iptables to whitelist specific IP addresses or ranges, e.g.
This can get a little clumsy, though, and tends to break for sites like Google which dynamically send you to different IPs depending on geographic location and server load. Different components of each page could reside on different IPs, and constructing a suitable whitelist may take some trial-and-error. What might work better is to set up a proxy autoconfig (PAC) script in your Windows proxy settings. This would allow fine-grained control and pattern matching based on hostnames and URLs. Or just run tinyproxy, squid, etc. on one of the hosts and use that to filter the requests. Some other Windows-specific solutions are listed here. |
thanks for replying. I'm going to set up your scripts hoping it'll work. |
the feature that apps can be controlled seperatly is really important to protect the phone from inside. some apps, like for example a mail app, have to access the internet but i only want it to access mymailserver.example.com and not to search for updates at home or maybe also send my mailserver data to the company providing the app. i really like the interface the NoRoot Firewall provides. the only problem with this firewall is that you cannot use vpn if you use the firewall. also i think boot leakage is a problem. so i would really happy to see a good visual interface for afwall+ so i am +1 for this feature |
would it be possible to add an example script on how to whitelist an app for some domains and block the rest? would be realy awesome for those of us who don't know iptables. https://serverfault.com/questions/218707/iptables-rules-to-allow-http-traffic-to-one-domain-only
now i would really like to know how to adapt this code, to for example allow access to the app k9 mail only to mail.example.com |
I believe this would require some significant effort to bring to life. Is there any plans on tackling this specific feature, @ukanth? |
Shouldn't this be rather straight forward to implement? |
Hi guys, My idea is a prompt every time an app (that is allowed) wants to access a unknown ip adress. I will fork the project and try around. |
@Jabb0, if you get a working prototype, I'll be happy to test! |
@Jabb0 The reverse lookup is probably not too useful because you can have unlimited numbers of domains associated to a single IP address. This feature could also be abused for tracking if the app developer runs his own DNS server. |
@T-vK I wonder if it is neccessary to block by domains instead of ips. So far the domain is resolved before the IPtables block takes effect. |
@Jabb0 I'm not sure how AFWall is handling DNS queries, but when blocking an app with AFWall, I was not able to resolve DNS queries with that app. You are of course right about IPtables, I totally forgot about that. IPtables fall more into the category of a filter (i.e. not a proxy). Generally on Linux dnsmasq would be the way to go when it comes to analyzing DNS queries to filter by host name. I don't know how AFWall is set up though. I think a good solution would be to allow both, whitelists/blacklists for IPs and whitelists/blacklists for domains. But there would have to be a caching mechanism that keeps track of which IP addresses have been returned to all DNS queries. The most difficult challenge that I see is having a [allow once] and [deny once] option. I think it can be implemented by temporarily adding the rules and removing them again as soon as the iptables log shows that a request has been made. I'm not sure if that could cause problems with receiving a an answer for protocols such as TCP and HTTP, though. If it can be implemented the way that I assume it could, then I think this might be the way to go: I hope this makes sense. I'm not an Android developer, so I'm making a few assumptions here and there. |
@T-vK looks reasonable to me. Thank you! After I understood that part and how AFWall works I want to extend the functionality. |
I've never heard about ndc, but it seems to be a command line utility to create/configure/remove network interfaces (ndc network) and to change dns server settings (ndc resolver). I was not able to find that utility on my Android 6 phone, though. So this might be something that only existed on older devices. And I would say that it is by definition not possible to block by domain without a proxy. You could do without a DNS proxy, but you would still need a proxy. I'm not a big fan of the concept, though. Because APIs change and Xposed development can't really keep up. |
Current status:
-> First attempt is to block IP/Port per APP without a prompt or anything. Also possible with domain blocking, but via Iptables (which is probably a one time lookup) Still missing:
My fork is here (no changes yet): https://github.com/Jabb0/afwall |
Domain names can't be resolved without dns level proxy (cernekee did work on those few years back). The reason I haven't done those changes because there are few design level changes required ( like profiles/whitelist/blocklist/ etc.,) Also where does this gets stored and at what stage it gets executed. There are still many areas I need to make changes, before that we can't implement these changes without affecting the existing Please get in touch with me if you need more details. I'm little occupied with actual work and couldn't get enough time to go over github/xda questions. But will spend some time tomorrow on it. |
@ukanth how can I get in touch with you? |
@Jabb0 hello , can you please guide how to install your forked version. I am asking for a guide for beginners. I have a rooted phone , how can i install it. The guide on the github page is not sufficient for me. |
Hi @deepanshu830 Until now I haven't commited any changes, because I only had time to do some gui stuff. Also I discussed with ukanth, that there need to be some changes to the way the app applies the IPTable rules before we can efficiently store per app rules. For example a new database structure. In general: |
Signing up for the request. Would be great to have it! |
This function would be really useful. |
@Jabb0 Do you still have your parts lying around by any chance? I would like to help implementing this feature, but I'm still overwhelmed by the complexity of some Classes (like Api). Overall, I find it kinda hard to read the source of this app. A hint into the right direction would surely help :) |
@franzmueller Great that you like to pick this up. I have been too busy to continue with my work. Here are some insights:
I already started to create a screen to set ip/port based rules per app. I think it would be best to setup the database to store all rules. Inside the Api.java addRulesForUidlist method the rules are applied for each application UID.
|
Make it possible to filter traffic by address/subnet on a per-application basis without using scripts. Will probably require creating a dialog to enter addresses permitted for the application and marking such application with an icon in the application list.
The text was updated successfully, but these errors were encountered: