Firewall for Apps

[SSoft7]

Hi,

It would be nice if you can add features like Noroot firewall in it. Actually i wanted to block apps from connecting network.

[julian-klode]

Then we end up with a more privacy focused (ad-free) version of NetGuard. It's a nice idea, but it eats a lot more battery: The entire network traffic needs to be routed via the VPN.

Unless you are OK with just blocking DNS access to the app - if it hardcodes IP addresses, it would still be able to connect to them, but every attempt to access the internet by names would fail.

Otherwise See #27 for more reasons on stuff involving whole-network redirects.

[Madis0]

Moving to a new non-rooted device, I figured that I need a simple yet efficient ad blocker like this, but could also use a firewall for a couple of apps, so I support this idea.

Unless you are OK with just blocking DNS access to the app - if it hardcodes IP addresses, it would still be able to connect to them, but every attempt to access the internet by names would fail.

Realistically, what are the odds? I can see big players like Facebook, Twitter, Google doing this, but hey - there are tons of alternative apps for those. I haven't made any apps so this is just assumption, but I don't really see a reason for a majority of apps to use IP-addresses instead of convenient domains.

[julian-klode]

OK, so let's talk implementation details:

Assuming we have a list of apps to block, we map the apps to their UIDs.

For each packet that comes in:

1. Resolve the packets local port to an UID by reading /proc/net/udp
2. If the UID is currently blocked, answer with NXDOMAIN, otherwise forward query

That assumes that DNS queries are issued using the app's UID. I have not checked if that's the case, but I'll probably find out soon.

[smichel17]

If you implement something like the UI that I suggested in #75, you can easily modify it to support this by

• Changing the default preference to a ListPreference where you choose what to block: All, Ads, or Nothing.
• Doing the same thing for each preference, so you can [White/black/block]list it.

I suggested using booleans in that, which would require you to add some upgrade code, but if you used a string or int there instead, it would also be fairly painless to add an additional option.

[IgitBuh]

Thank you very much for considering this feature! Having the battery-related downsides for VPN-based firewalls in mind, this would definitely be a highly appreciated alternative! I used to root all my previous devices, but with frequent firmware updates and irreversible root flags I'd like to keep my new device unrooted. I believe more and more people start to think that way. So they all would appreciate a firewall/adblock solution like dns66 that can do that without compromises on the battery life.

[jerryn70]

Triangle app is a good example. For apk search apkmirror.com

[tag6]

Unless you are OK with just blocking DNS access to the app - if it hardcodes IP addresses, it would still be able to connect to them, but every attempt to access the internet by names would fail.

For me that would be sufficient.

My idea for the GUI: Instead of checkbox per app in the Apps tab, you get red (completely no DNS request gets resolved), yellow (standard, filtered) and green (pass-through). There could be a fourth state grey meaning "default", and you may change default to any of the three values.

Alternative you could use black (for blacklisted) with white border for dark skins, grey for standard and white (with border for light skins) or green for pass-through. Brown or purple could be default. But this does not sound very good for me, except for the black of course.

I'd also be completely satisfied if there is a blacklist, just a list of Apps that are not allowed to use DNS, independent from any other management. Maybe on a new tab.

Does this fit the problem and is feasible?

[alexanderadam]

Someone wrote in a corresponding blokada issue that beginning with Android 10 and newer it's not possible anymore to see which application did a request.

edit: ~~The user did not mention a source for it yet so I don't know how valid this is.~~

:arrow_down: See comment below :arrow_down:

PS: thank you for responding @ps100000

[ps100000]

Source: https://developer.android.com/about/versions/10/privacy/changes#proc-net-filesystem

[ps100000]

@julian-klode

2\. If the UID is currently blocked, answer with NXDOMAIN, otherwise forward query

This wouldn't work anyway as on Android all DNS queries are done by a system process (UID 1001). I did spend quite some time investigating this for Blokada. To bad it won't work on Android 10 anymore. On the other hand it's good that apps can't just read connection info like that.

[ignoramous]

Hello :)

We published a IPv4-only (at this point) TCP/UDP user-space firewall library for Android a few days back [0] written in golang (obviously, comes with runtime overhead and bloats up app's size). It is lacking documentation but you can learn from how RethinkDNS uses the APIs [1]. If anyone's up for it, you can attempt to integrate it with DNS66 if only to experiment. It also supports DoH and DNSCrypt but you'd likely lose a lot of functionality that DNS66 supports, so you're better off skipping that part.

Note though, the APIs (exposed to the Java/Kotlin layer) are not stable and will likely continue to be in flux as RethinkDNS approaches v1.

[0] https://github.com/celzero/firestack

[1] https://github.com/celzero/rethink-app/blob/6e7618eb2ed7e/app/build.gradle#L146-L147