Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Wi-Fi-Hotspot not working while AFWall+ is enabled #344

Open
bopi- opened this issue Feb 2, 2015 · 5 comments

Comments

Projects
None yet
6 participants
@bopi-
Copy link

commented Feb 2, 2015

AFWall+ Logs:
AppID : -11
Application's Name:
Total Packets Blocked: 4
[UDP]10.74.210.211:53(2)
[UDP]10.74.210.210:53(2)

NFLOG:
{AFL} IN= OUT=ccmni0 SRC=10.202.247.168 DST=10.74.210.210 LEN=69 PROTO=UDP SPT=53300 DPT=53 LEN=49 UID=1014
{AFL} IN= OUT=ccmni0 SRC=10.202.247.168 DST=10.74.210.211 LEN=69 PROTO=UDP SPT=53300 DPT=53 LEN=49 UID=1014

Adding a custom script solves the problem:
$IPTABLES -A afwall-3g-tether -p tcp -m owner --uid-owner 1014 -m tcp --dport 53 -j RETURN
$IPTABLES -A afwall-3g-tether -p udp -m owner --uid-owner 1014 -m udp --dport 53 -j RETURN

What do you thing about adding these rules to afwall-3g-tether chain when enabling "-12:(Tethering) - DHCP+DNS service"?

AFWall+: 1.3.4.1
Android: 4.2.2
Device: Acer Z160

@CHEF-KOCH

This comment has been minimized.

Copy link
Contributor

commented Apr 4, 2015

It's depending with which configuration this works or not, on Android 4.3+ DNS is general disabled but if we gonna disable netd and enable tethering it should work (no need to add custom rules and btw the only difference is the owner ID you gave us compared to existent source).

Try this with the latest alpha and report back if that worked for you, sure you are on 4.2.2 but it's not mentioned if it's stock/nightly/aokp or which base use this rom so it could be working or not. To general automatically open it could be a security risk.

A little story about that to better understand:
DNS is known as insecure (on windows and Linux I entirely disabled this and all still works). There is also an option under Windows to enable the caching for only a specific time via registry (which in fact would be more secure). Disabling such service doesn't have any negative effects, since it won't break any web page from loading because your provider will manage this on our client site it's only act like a cache. But remember that turning such stuff off does not empty the cache (under windows ipconfig /flushdns and under Linux/Android it's a bit more 'complicated' (more stuff to type).

ndc resolver flushif <iface>  (e.g. wifi, rmnet01)
ndc resolver flushdefaultif
ndc resolver setifdns <iface> <dns1> <dns2>
ndc resolver setdefaultif <iface>

The important line:
But AFWall+ does not control such stuff since this will interference with your system settings (and also needs a restart after each apply).

Imho the best thing is to leave it just how it comes (enabled/manual) because disabling it will stop your computer/device from registering it's domain name with your local DNS server if you're on an Active Directory domain, reducing the cache duration in the registry as mentioned is the best thing (4 hours should be okay). I not found any similar solution in Android yet (or only with huge expense). And also remember that we have different systems (Android 4/5) and such which may (depending on the rom/implementation) handle stuff different.

@Mannshoch

This comment has been minimized.

Copy link

commented Jul 14, 2015

Its strange. On my Samsung Galaxy S2 (CM11, Android 4.4.4); AFWall+ Alpha2 from F-Droid
3G -> Wifi works with activated AFWall+
Wifi -> USB only if I deactivate AFWall+

@Mannshoch

This comment has been minimized.

Copy link

commented Jul 15, 2015

I detected that Wifi -> USB work also if I tick "-10:(Jede App)" to be allowed for Wifi

@CHEF-KOCH

This comment has been minimized.

Copy link
Contributor

commented Jul 25, 2015

As I said it's no bug at all.

@Mannshoch

This comment has been minimized.

Copy link

commented Jul 25, 2015

I know but there is a silent hope for an enhancement :-)

@CHEF-KOCH

This comment has been minimized.

Copy link
Contributor

commented Jul 25, 2015

For what? Nothing to improve here, it's the nature of Linux.

@ukanth ukanth added Review DNS Low and removed Review labels Aug 4, 2016

@varhub

This comment has been minimized.

Copy link

commented Aug 24, 2018

@ukanth I reflog this issue due similar problems in android 6.
If 1014 is a reserved uid, why not just add these an others to list and let user enable it?
Just like 1013 (media) -12 (tethering) -11 (kernel) 1011 (gps) and so on.

@codyit

This comment has been minimized.

Copy link

commented Nov 12, 2018

So for my case the blocked UID is -1
Either for hotspot and another application in work profile calling microg gsm
What does -1 mean?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.