Firewallrules will be changed when I use tethering #134
Comments
…rfaces Use the ConnectivityChangeReceiver for more than just roaming: any time the system notifies us that the network configuration has changed, see if any of the parameters relevant to AFWall+ have changed. If so, recalculate and reapply the firewall rules. This should also address ukanth#134 (OUTPUT rules left wide open after tethering is disabled).
…rfaces Use the ConnectivityChangeReceiver for more than just roaming: any time the system notifies us that the network configuration has changed, see if any of the parameters relevant to AFWall+ have changed. If so, recalculate and reapply the firewall rules. This should also address ukanth#134 (OUTPUT rules left wide open after tethering is disabled).
…rfaces Use the ConnectivityChangeReceiver for more than just roaming: any time the system notifies us that the network configuration has changed, see if any of the parameters relevant to AFWall+ have changed. If so, recalculate and reapply the firewall rules. This should also address ukanth#134 (OUTPUT rules left wide open after tethering is disabled).
|
Merged 👍 This patches should resolve the issue. |
|
Hello Umakanthan and cernekee, thank you for your fast and good response. I donwloaded the beta-Version today from xda-developers (thank you for posting the apk there!). But unfortunately the problem is not solved. If I switch the Wireless Tethering, the iptable-Rules will be changed or flushed. A reboot didn't change anything. I don't know enough Java, that I could really help you. Is there a possibility to apply the rules always, if there is a ConnectivityChange detected? Because not all users need it, it should be selecteable in the settings? I would be very greatful, if you could solve the problem. |
|
I'll look into this issue. Thanks for the detailed log. |
|
"Is there a possibility to apply the rules always, if there is a ConnectivityChange detected?" When I enable tethering on JB 4.1 or 4.2, I typically get a couple of ConnectivityChange intents, including one when the wifi LAN connection is lost and another one when the interface comes back up as an AP. The rules do get flushed along the way but AFWall notices the interface/IP changes and re-applies them each time. It would be helpful to post your output from: adb logcat -s "AFWall:*" to see what messages pop up during the untethered->tethered transition. The AFWall beta should be used. |
|
Wow, that was fast! Again the logs with the AFWall 1.2.5. Beta.
I don't know how to execute this command. So I used the app alogcat and hope, that the result will be the same. If I filter for "AFWall" the result is empty. Only iptables will be found. But no changes to the logs with version 1.2.4.1. Switch tethering on:via aLogcat: Switch tethering off:via aLogcat: |
|
Strange, I don't see any connectivity change broadcasts at all. AFWall should log a debug message for each one. Do you see any "connectivity_changed" log messages when you enable/disable airplane mode? Maybe we will need to also listen for ACTION_TETHER_STATE_CHANGED. BTW the log contains your WPA PSK password in hex, so you'll probably want to change it. |
Thank you for that hint! OK, here the logs for switching airplane-mode on and off. Here looks everthing ok and the rules have been applied correctly. First all entries for AFWall: And here the full log, slightly shortened: (at pastebin for a better overview) |
|
I made furthermore three tests now, but with litte additional information:
|
|
As cernekee mentioned, we might need to add ACTION_TETHER_STATE_CHANGE to apply the rule on tether state change. |
|
This issue is resolved. |
I have some problems with afwall and WLAN-tethering. If I activate tethering and also if I deactivate it, the iptable-rules will be changed. Especially the outputchain will be buypassed. Then my phone has full access to internet. And I want also to filter tethering, but in this case I have no chance to do that.
Both times, at activating and deactivation the ruleset of iptables will be changed. Is there any possibility to avoid that? For me this bug seems critical, because it bypasses the complete firewall.
I found for droidwall some issue, which look very similar.
https://github.com/peterhoeg/droidwall/issues/18
http://code.google.com/p/droidwall/issues/detail?id=123
Sorry, that I post so much information, but I hope, this will help you to find a solution.
The beginning
My iptable-ruleset:
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
Now I activate tethering.
The iptable-list looks like this:
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
Logcate gives me something like this:
--------- beginning of /dev/log/system
W/InputManagerService( 2060): Window already focused, ignoring focus gain of: com.android.internal.view.IInputMethodClient$Stub$Proxy@406fc630
I/ActivityManager( 2060): Starting: Intent { act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] flg=0x10100000 cmp=com.android.settings/.Settings bnds=[655,403][753,476] } from pid 2060
I/ActivityManager( 2060): Starting: Intent { act=android.intent.action.MAIN cmp=com.android.settings/.TetherSettings } from pid 11355
--------- beginning of /dev/log/main
D/ViewConsistency(11355): AbsListView android.widget.ListView@4055d4c0 enabled= false
D/ViewConsistency(11355): AbsListView android.widget.ListView@4055d4c0 enabled= false
I/ActivityManager( 2060): Displayed com.android.settings/.TetherSettings: +238ms
D/BluetoothNetworkService( 2060): updating tether state
D/BluetoothNetworkService( 2060): interface tiap0
D/Tethering( 2060): sendTetherStateChangedBroadcast 1, 0, 0
D/Tethering( 2060): interfaceAdded :tiap0
D/CommandListener( 1476): Setting iface cfg
D/Tethering( 2060): Tethering tiap0
D/Tethering( 2060): InitialState.processMessage what=2
D/NetworkManagmentService( 2060): rsp <213 00:00:00:00:00:00 0.0.0.0 0.0.0.0 [down broadcast multicast]>
D/NetworkManagmentService( 2060): flags <[down broadcast multicast]>
D/Tethering( 2060): sendTetherStateChangedBroadcast 0, 0, 0
D/BluetoothNetworkService( 2060): updating tether state
D/Tethering( 2060): Tethered tiap0
D/BluetoothNetworkService( 2060): updating tether state
D/Tethering( 2060): sendTetherStateChangedBroadcast 0, 1, 0
I/ActivityManager( 2060): Start proc com.cyanogenmod.cmparts for broadcast com.cyanogenmod.cmparts/.intents.LEDNotificationReceiver: pid=15574 uid=1000 gids={1015, 3002, 3001, 3003}
D/Tethering( 2060): MasterInitialState.processMessage what=1
E/dalvikvm(15574): could not disable core file generation for pid 15574: Operation not permitted
D/Tethering( 2060): Tether Mode requested by tiap0 - TetheredState - Tethered - lastError =0
D/Tethering( 2060): chooseUpstreamType(false), dunRequired =false, iface=rmnet0
D/Tethering( 2060): checking if hipri brought us this connection
D/Tethering( 2060): notifying tethered with iface =rmnet0
D/TetherController( 1476): Setting IP forward enable = 1
D/NetworkManagmentService( 2060): rsp <213 00:00:00:00:00:00 10.240.55.234 255.0.0.0 [up running]>
D/NetworkManagmentService( 2060): flags <[up running]>
D/TetherController( 1476): Starting tethering services
D/TetherController( 1476): Tethering services running
D/TetherController( 1476): setDnsForwarders(0 = '8.8.8.8')
D/TetherController( 1476): setDnsForwarders(1 = '4.2.2.2')
D/TetherController( 1476): Sending update msg to dnsmasq [update_dns:8.8.8.8:4.2.2.2]
D/Tethering( 2060): TetheredState.processMessage what=12
I/dnsmasq (15576): started, version 2.51 cachesize 150
I/dnsmasq (15576): compile time options: no-IPv6 GNU-getopt no-DBus no-I18N DHCP no-scripts no-TFTP
W/dnsmasq (15576): warning: no upstream servers configured
I/dnsmasq (15576): DHCP, IP range 192.168.43.2 -- 192.168.43.254, lease time 1h
I/dnsmasq (15576): DHCP, IP range 192.168.42.2 -- 192.168.42.254, lease time 1h
D/szipinf (15574): Initializing inflate state
I/tiap_loader(15572): Set property wlan.ap.driver.status = ok - Ok
I/ActivityThread(15574): Pub com.cyanogenmod.cmparts.provider.Settings: com.cyanogenmod.cmparts.provider.SettingsProvider
I//system/bin/iptables( 1476): ACCEPT all opt -- in rmnet0 out tiap0 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED
I//system/bin/iptables( 1476): ACCEPT all opt -- in tiap0 out rmnet0 0.0.0.0/0 -> 0.0.0.0/0
I//system/bin/iptables( 1476): MASQUERADE all opt -- in * out rmnet0 0.0.0.0/0 -> 0.0.0.0/0
I/ActivityManager( 2060): Process android.process.media (pid 11750) has died.
I/dnsmasq (15576): read /etc/hosts - 22032 addresses
I/dnsmasq (15576): using nameserver 4.2.2.2#53
I/dnsmasq (15576): using nameserver 8.8.8.8#53
D/SoftapController( 1476): Softap driver start: 0
I/hostap (15712): Configuration file: /data/misc/wifi/hostapd.conf
I/hostap (15712): _hostapd_init_iface_
I/hostap (15712): ctrl_interface_group=0
I/hostap (15712): HAPDTI wilink_init: enter
I/hostap (15712): BSS count 1, BSSID mask ff:ff:ff:ff:ff:ff (0 bits)
I/hostap (15712): HAPDTI wilink_wireless_event_init: enter
I/hostap (15712): HAPDTI wilink_get_we_version: enter
I/hostap (15712): SIOCGIWRANGE: WE(compiled)=22 WE(source)=19 enc_capa=0xf
I/hostap (15712): regulatory_build_hw_capability: Country=TI indx=4
I/hostap (15712): RATE[0] rate=10 flags=0x152
I/hostap (15712): RATE[1] rate=20 flags=0x152
I/hostap (15712): RATE[2] rate=55 flags=0x152
I/hostap (15712): RATE[3] rate=110 flags=0x152
I/hostap (15712): RATE[4] rate=60 flags=0x150
I/hostap (15712): RATE[5] rate=90 flags=0x150
I/hostap (15712): RATE[6] rate=120 flags=0x150
I/hostap (15712): RATE[7] rate=180 flags=0x150
I/hostap (15712): RATE[8] rate=240 flags=0x150
I/hostap (15712): RATE[9] rate=360 flags=0x150
I/hostap (15712): RATE[10] rate=480 flags=0x150
I/hostap (15712): RATE[11] rate=540 flags=0x150
I/hostap (15712): Passive scanning not supported
I/hostap (15712): Flushing old station entries
I/hostap (15712): Deauthenticate all stations
I/hostap (15712): HAPDTI wilink_sta_deauth: enter
I/hostap (15712): HAPDTI wilink_send_mgmt_frame: sending 26 byte MGMT frame to ff:ff:ff:ff:ff:ff
I/hostap (15712): MGMT - hexdump(len=26): c0 00 00 00 ff ff ff ff ff ff a4 ed 4e fd 5d b0 a4 ed 4e fd 5d b0 00 00 02 00
I/hostap (15712): l2_packet_send - sendto: Network is down
I/hostap (15712): Mode: IEEE 802.11g Channel: 11 Frequency: 2462 MHz
I/hostap (15712): Using interface tiap0 with hwaddr a4:ed:4e:fd:5d:b0 and ssid 'AndroidAP'
I/hostap (15712): SSID - hexdump_ascii(len=9):
I/hostap (15712): PSK (ASCII passphrase) - hexdump_ascii(len=12):
I/hostap (15712): WPA: group state machine entering state GTK_INIT (VLAN-ID 0)
I/hostap (15712): GMK - hexdump(len=32): [REMOVED]
I/hostap (15712): GTK - hexdump(len=16): [REMOVED]
I/hostap (15712): WPA: group state machine entering state SETKEYSDONE (VLAN-ID 0)
I/hostap (15712): Using existing control interface directory.
I/hostap (15712): HAPDTI wilink_commit: COMMIT
I/hostap (15712): tiap0: Setup of interface done.
I/hostap (15712): l2_packet_receive - recvfrom: Network is down
I/hostap (15712): l2_packet_receive - recvfrom: Network is down
D/SoftapController( 1476): Softap startap - Ok
I/hostap (15712): RX ctrl_iface - hexdump_ascii(len=4):
I/hostap (15712): 50 49 4e 47 PING
D/SoftapController( 1476): tiwlan0 - tiap0 - AndroidAP - wpa2-psk - (null)
I/hostap (15712): HAPDTI wilink_wireless_event_receive: enter
I/hostap (15712): HAPDTI wilink_wireless_event_rtm_newlink: enter
I/hostap (15712): HAPDTI wilink_wireless_event_receive: enter
I/hostap (15712): HAPDTI wilink_wireless_event_rtm_newlink: enter
I/hostap (15712): RX ctrl_iface - hexdump_ascii(len=8):
I/hostap (15712): 52 45 43 4f 4e 46 49 47 RECONFIG
I/hostap (15712): ***_hostapd_reconfig_iface_
I/hostap (15712): Flushing old station entries
I/hostap (15712): Deauthenticate all stations
I/hostap (15712): HAPDTI wilink_sta_deauth: enter
I/hostap (15712): HAPDTI wilink_send_mgmt_frame: sending 26 byte MGMT frame to ff:ff:ff:ff:ff:ff
I/hostap (15712): MGMT - hexdump(len=26): c0 00 00 00 ff ff ff ff ff ff a4 ed 4e fd 5d b0 a4 ed 4e fd 5d b0 00 00 02 00
I/ActivityManager( 2060): Process dev.ukanth.ufirewall (pid 7465) has died.
I/WindowManager( 2060): WIN DEATH: Window{40806ec8 dev.ukanth.ufirewall/dev.ukanth.ufirewall.MainActivity paused=false}
I/hostap (15712): _hostapd_deinit_iface_
I/hostap (15712): Control interface directory not empty - leaving it behind
I/hostap (15712): HAPDTI wilink_wireless_event_deinit: enter
I/hostap (15712): HAPDTI wilink_deinit: enter
I/hostap (15712): _hostapd_init_iface_
I/hostap (15712): ctrl_interface_group=0
I/hostap (15712): HAPDTI wilink_init: enter
I/hostap (15712): BSS count 1, BSSID mask ff:ff:ff:ff:ff:ff (0 bits)
I/hostap (15712): HAPDTI wilink_wireless_event_init: enter
I/hostap (15712): HAPDTI wilink_get_we_version: enter
I/hostap (15712): SIOCGIWRANGE: WE(compiled)=22 WE(source)=19 enc_capa=0xf
I/hostap (15712): regulatory_build_hw_capability: Country=TI indx=4
I/hostap (15712): RATE[0] rate=10 flags=0x152
I/hostap (15712): RATE[1] rate=20 flags=0x152
I/hostap (15712): RATE[2] rate=55 flags=0x152
I/hostap (15712): RATE[3] rate=110 flags=0x152
I/hostap (15712): RATE[4] rate=60 flags=0x150
I/hostap (15712): RATE[5] rate=90 flags=0x150
I/hostap (15712): RATE[6] rate=120 flags=0x150
I/hostap (15712): RATE[7] rate=180 flags=0x150
I/hostap (15712): RATE[8] rate=240 flags=0x150
I/hostap (15712): RATE[9] rate=360 flags=0x150
I/hostap (15712): RATE[10] rate=480 flags=0x150
I/hostap (15712): RATE[11] rate=540 flags=0x150
I/hostap (15712): Passive scanning not supported
I/hostap (15712): Flushing old station entries
I/hostap (15712): Deauthenticate all stations
I/hostap (15712): HAPDTI wilink_sta_deauth: enter
I/hostap (15712): HAPDTI wilink_send_mgmt_frame: sending 26 byte MGMT frame to ff:ff:ff:ff:ff:ff
I/hostap (15712): MGMT - hexdump(len=26): c0 00 00 00 ff ff ff ff ff ff a4 ed 4e fd 5d b0 a4 ed 4e fd 5d b0 00 00 02 00
I/hostap (15712): Mode: IEEE 802.11g Channel: 11 Frequency: 2462 MHz
I/hostap (15712): Using interface tiap0 with hwaddr a4:ed:4e:fd:5d:b0 and ssid 'AndroidAP'
I/hostap (15712): SSID - hexdump_ascii(len=9):
I/hostap (15712): PSK (ASCII passphrase) - hexdump_ascii(len=12):
I/hostap (15712): WPA: group state machine entering state GTK_INIT (VLAN-ID 0)
I/hostap (15712): GMK - hexdump(len=32): [REMOVED]
I/hostap (15712): GTK - hexdump(len=16): [REMOVED]
I/hostap (15712): WPA: group state machine entering state SETKEYSDONE (VLAN-ID 0)
I/hostap (15712): Using existing control interface directory.
I/hostap (15712): HAPDTI wilink_commit: COMMIT
I/hostap (15712): tiap0: Setup of interface done.
I/hostap (15712): HAPDTI wilink_wireless_event_receive: enter
I/hostap (15712): HAPDTI wilink_wireless_event_rtm_newlink: enter
D/SoftapController( 1476): Softap set - Ok
D/dalvikvm( 6715): GC_EXPLICIT freed 492K, 53% free 2884K/6087K, external 0K/0K, paused 42ms
D/dalvikvm( 2060): GC_EXTERNAL_ALLOC freed 1307K, 43% free 5788K/10055K, external 3780K/3809K, paused 163ms
I/ActivityManager( 2060): Starting: Intent { act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] flg=0x10100000 cmp=org.jtb.alogcat/.LogActivity } from pid 2060
D/dalvikvm(11355): GC_EXPLICIT freed 79K, 46% free 3089K/5703K, external 0K/0K, paused 902ms
I/hostap (15712): wilink_rx_mgmt: received MGMT with len 281 from c0:25:06:7c:c4:ce
I/hostap (15712): MGMT - hexdump(len=283): 00 00 80 00 00 00 ff ff ff ff ff ff c0 25 06 7c c4 ce c0 25 06 7c c4 ce 20 39 a0 09 d5 b0 22 02 00 00 64 00 31 04 00 11 46 52 49 54 5a 21 42 6f 78 20 37 33 33 30 20 53 4c 01 08 82 84 8b 96 0c 12 18 24 03 01 0b 05 04 00 01 00 00 07 06 44 45 20 01 0d 14 2a 01 00 30 14 01 00 00 0f ac 02 01 00 00 0f ac 04 01 00 00 0f ac 02 00 00 32 04 30 48 60 6c 2d 1a ee 11 1b ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3d 16 0b 07 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 dd 16 00 50 f2 01 01 00 00 50 f2 02 01 00 00 50 f2 02 01 00 00 50 f2 02 dd 18 00 50 f2 02 01 01 01 00 03 a4 00 00 27 a4 00 00 42 43 5e 00 62 32 2f 00 dd 09 00 03 7f 01 01 00 00 ff 7f dd 0c 00 04 0e 01 01 02 01 00 00 00 00 00 dd 27 00 50 f2 04 10 4a 00 01 10 10 44 00 01 02 10 47 00 10 77 a0 81 04 7f e0 4a 63 81 b1 c0 25 06 7c c4 10 10 3c 00 01 03
I/hostap (15712): HAPDTI wilink_rx_mgmt: processing management frame
I/hostap (15712): station is not foundc0:25:06:7c:c4:ce
.
.
.
Especially the following entries look bad to me:
I//system/bin/iptables( 1476): ACCEPT all opt -- in rmnet0 out tiap0 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED
I//system/bin/iptables( 1476): ACCEPT all opt -- in tiap0 out rmnet0 0.0.0.0/0 -> 0.0.0.0/0
I//system/bin/iptables( 1476): MASQUERADE all opt -- in * out rmnet0 0.0.0.0/0 -> 0.0.0.0/0
Now I will deactivate the WLAN Tethering:
The iptable-list looks like this:
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
Logcate gives me something like this:
I/hostap (15712): wilink_rx_mgmt: received MGMT with len 281 from c0:25:06:7c:c4:ce
I/hostap (15712): MGMT - hexdump(len=283): 00 00 80 00 00 00 ff ff ff ff ff ff c0 25 06 7c c4 ce c0 25 06 7c c4 ce 00 42 4b c2 af b1 22 02 00 00 64 00 31 04 00 11 46 52 49 54 5a 21 42 6f 78 20 37 33 33 30 20 53 4c 01 08 82 84 8b 96 0c 12 18 24 03 01 0b 05 04 00 01 00 00 07 06 44 45 20 01 0d 14 2a 01 00 30 14 01 00 00 0f ac 02 01 00 00 0f ac 04 01 00 00 0f ac 02 00 00 32 04 30 48 60 6c 2d 1a ee 11 1b ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3d 16 0b 07 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 dd 16 00 50 f2 01 01 00 00 50 f2 02 01 00 00 50 f2 02 01 00 00 50 f2 02 dd 18 00 50 f2 02 01 01 01 00 03 a4 00 00 27 a4 00 00 42 43 5e 00 62 32 2f 00 dd 09 00 03 7f 01 01 00 00 ff 7f dd 0c 00 04 0e 01 01 02 01 00 00 00 00 00 dd 27 00 50 f2 04 10 4a 00 01 10 10 44 00 01 02 10 47 00 10 77 a0 81 04 7f e0 4a 63 81 b1 c0 25 06 7c c4 10 10 3c 00 01 03
I/hostap (15712): HAPDTI wilink_rx_mgmt: processing management frame
I/hostap (15712): station is not foundc0:25:06:7c:c4:ce
I/ActivityManager( 2060): Starting: Intent { act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] flg=0x10100000 cmp=com.android.settings/.Settings bnds=[655,403][753,476] } from pid 2060
W/InputManagerService( 2060): Window already focused, ignoring focus gain of: com.android.internal.view.IInputMethodClient$Stub$Proxy@406d5eb0
D/dalvikvm( 6715): GC_CONCURRENT freed 245K, 51% free 3024K/6087K, external 0K/0K, paused 39ms+7ms
D/Tethering( 2060): TetheredState.processMessage what=4
I//system/bin/iptables( 1476): Flushing chain
INPUT' I//system/bin/iptables( 1476): Flushing chainOUTPUT'I//system/bin/iptables( 1476): Flushing chain
FORWARD' I//system/bin/iptables( 1476): Flushing chainPREROUTING'I//system/bin/iptables( 1476): Flushing chain
POSTROUTING' I//system/bin/iptables( 1476): Flushing chainOUTPUT'D/Tethering( 2060): Untethered tiap0
D/BluetoothNetworkService( 2060): updating tether state
D/Tethering( 2060): sendTetherStateChangedBroadcast 0, 0, 0
D/Tethering( 2060): TetherModeAliveState.processMessage what=2
D/TetherController( 1476): Stopping tethering services
I/dnsmasq (15576): exiting on receipt of SIGTERM
D/TetherController( 1476): Tethering services stopped
D/TetherController( 1476): Setting IP forward enable = 0
D/Tethering( 2060): notifying tethered with iface =null
D/dalvikvm( 2060): GC_EXTERNAL_ALLOC freed 1360K, 43% free 5771K/10055K, external 4223K/4252K, paused 124ms
I/ActivityManager( 2060): Starting: Intent { act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] flg=0x10100000 cmp=org.jtb.alogcat/.LogActivity } from pid 2060
D/dalvikvm( 6715): GC_CONCURRENT freed 371K, 50% free 3051K/6087K, external 0K/0K, paused 18ms+4ms
And here bother me especially the following lines:
I//system/bin/iptables( 1476): Flushing chain
INPUT' I//system/bin/iptables( 1476): Flushing chainOUTPUT'I//system/bin/iptables( 1476): Flushing chain
FORWARD' I//system/bin/iptables( 1476): Flushing chainPREROUTING'I//system/bin/iptables( 1476): Flushing chain
POSTROUTING' I//system/bin/iptables( 1476): Flushing chainOUTPUT'My System:
Network-interfaces:
The text was updated successfully, but these errors were encountered: