[ISSUE] AFWall (sometimes) fails to cleanly reapply the rules on connectivity change

[lemmy04]

Sometimes AFWall+ fails to cleanly reapply the rules, possibly on connectivity change. The only indication that it has happened is that new connections to the outside or from the outside to the device (for example ssh into my tablet) don't work.

If that happens, it also happens that disabling the firewall doesn't remove the rules altogether.

Workaround: disable firewall THEN manually remove all rules THEN enable the firewall again.

This seems to have started around February 2021.

Smartphones

1. Samsung S8+ running Android 9, rooted with Magisk 22.0
2. Samsung Tab S5e running Android 9, rooted with Magisk 22.0
3. Samsung Tab S2 running Android 7, rooted with Magisk 22.0

All devices are running the regular Samsung images, except for being rooted.

Additional context This happens on all three devices. and as far as I can tell connectivity changes are what triggers it.

[ukanth]

When it happens please export the rules (menu-> show rules) and then after you apply take rules again and attach both here. I will check it.

[lemmy04]

should there be any rules at all, when the firewall has been disabled?

[ukanth]

yes. rules will be there.

[lemmy04]

of course something like this takes weeks to show up again, once you file a ticket about it o.0 Anyway, here's the two rules exports.

"before" is the export of rules when the network didn't work, the other one is after disabling afwall, wiping the rules, and turning it on again.

IPv4rules_before.log IPv4rules.log

[ukanth]

Have you removed AFwall+ from optimize battery usage , so that it can run without being killed ?

[lemmy04]

i have now - on a samsung-contaminated android it's hard to find where to do that. lets see if that changes anything.

[ngrigoriev]

I second that, this is a bug that I started to see right after upgrading to 3.5.0.

Scenario: an app having 4 types of connections enabled in AFwall+ (local, wifi, cellular, VPN)

1. Be on Wifi, make sure everything works (or reapply the IPv4 rules if it does not)
2. Turn off WiFi (or leave the coverage area)
3. Re-enable Wifi (or come back home)
4. The device successfully reconnect to the network but no application will be able to access the network (specifically your test app)
5. This situation will not resolve itself until you either disable the firewall OR re-apply the rules. Once the rules are re-applied, the app will start working

I did a few tests and concluded that it seems to happen only when coming back to WiFi network, does not seem to happen when switching to cellular. I have noticed this bug because after coming back home my phone would never receive anything.

This certainly did not happen with 3.4.0 which I used for about two months.

According to what I see in the logs, it seems AFWall receives the interface change notification but for some reason decides to ignore it.

P.S. Nokia 8.3 5G, Android 11, AFWall 3.5.0 from F-Droid, no other firewall apps. Wireguard VPN client installed but no VPN tunnel is used during testing.

[ngrigoriev]

I have just installed 3.5.2.1 and it seems the issue is gone. But I will keep testing it to confirm.

With 3.5.0 it was perfectly reproducible even when moving from one API to another on the same WiFi net. I could be on Teams call in the backyard, walk to another side of the house, get kicked to another API in a minute and loose the call until manually reapplying the rules.

[lemmy04]

Where/How can I get 3.5.2.1? I have 3.5.2 (donation version) from the play store right now.

[ukanth]

it's a point release just for f-droid. it's almost same as 3.5.2