rethink-app icon indicating copy to clipboard operation
rethink-app copied to clipboard

Published 20 hours ago verified publisher icon celzero

Firewall: Root mode

Open ignoramous opened this issue 3 years ago • 5 comments

When the device has root access, it is probably efficient on the battery to switch to IP Tables than rely on the VPN APIs which among other things prevent other VPN apps from running on the device.

Ref: github/ukanth/dev/ukanth/ufirewall/Api.java

ignoramous avatar Aug 30 '20 17:08 ignoramous

I think the battery consumption won't deviate too much (after all, the VPN is also implemented with iptables, ip route and such). But for sure it's going to be a bit less with bare iptables. Another minor advantage would be that some devices incorrectly assign other apps battery usage to BraveDNS with a VPN active, which wouldn't happen with iptables.

Ch4t4r avatar Sep 01 '20 14:09 Ch4t4r

Will the iptable usage enable device wide "vpn" back again? Since android VPN is a per-user profile thing. Since can keep a work profile where run VPNXYZ and run Rethink on the main profile side by side. Or if the work profile does not have VPN enabled, it leaks all work profile apps... :( without root need run 1x Rethink for each profile

4-FLOSS-Free-Libre-Open-Source-Software avatar Jun 16 '21 08:06 4-FLOSS-Free-Libre-Open-Source-Software

Yes, with root, RethinkDNS would likely hook netlink commands and wouldn't be beholden to trapping packets from the VPN tunnel.

Also, we do plan to integrate Wiregaurd with the app itself, so even in non root mode, users would be optionally able to forward connections from the firewall out to a wireguard endpoint of their choice. #52

ignoramous avatar Jun 17 '21 07:06 ignoramous

@ignoramous any progress in the root mode firewall ? Afwall+ is kind of dead.

Raif1 avatar Apr 04 '22 04:04 Raif1

I wouldn't say AfWall+ is dead, but rather there's nothing more to add nor remove (:

Re: RethinkDNS and root mode: We haven't started on it yet. It isn't hard to do what AfWall+ does, but it is fundamentally at odds with the kind of (app-oriented) firewall we have built. An interface exposing AfWall+ like rules (IPTables) and RethinkDNS like rules (app-specific) is likely to confuse not just the users, but us as well.

We keep looking for that finer balance (there are ideas for it in the OpenSnitch code-base), but it isn't trivial to do so, unfortunately. I am open to someone else coding down this path and willing to spend time with them on this on impl/design, as right now, and for some more months to come, our team is stretched super thin amidst rolling out a newer network-engine for the firewall, redesigning the UI of the app, and creating a paid version (similar to NextDNS or ControlD). Note though, the app will remain free and open source.

ignoramous avatar Apr 06 '22 10:04 ignoramous