Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Firewall: Root mode #66

Open
ignoramous opened this issue Aug 30, 2020 · 5 comments
Open

Firewall: Root mode #66

ignoramous opened this issue Aug 30, 2020 · 5 comments

Comments

@ignoramous
Copy link
Collaborator

When the device has root access, it is probably efficient on the battery to switch to IP Tables than rely on the VPN APIs which among other things prevent other VPN apps from running on the device.

Ref: github/ukanth/dev/ukanth/ufirewall/Api.java

@Ch4t4r
Copy link
Contributor

Ch4t4r commented Sep 1, 2020

I think the battery consumption won't deviate too much (after all, the VPN is also implemented with iptables, ip route and such). But for sure it's going to be a bit less with bare iptables.
Another minor advantage would be that some devices incorrectly assign other apps battery usage to BraveDNS with a VPN active, which wouldn't happen with iptables.

@4-FLOSS-Free-Libre-Open-Source-Software

Will the iptable usage enable device wide "vpn" back again? Since android VPN is a per-user profile thing.
Since can keep a work profile where run VPNXYZ and run Rethink on the main profile side by side. Or if the work profile does not have VPN enabled, it leaks all work profile apps... :( without root need run 1x Rethink for each profile

@ignoramous
Copy link
Collaborator Author

ignoramous commented Jun 17, 2021

Yes, with root, RethinkDNS would likely hook netlink commands and wouldn't be beholden to trapping packets from the VPN tunnel.

Also, we do plan to integrate Wiregaurd with the app itself, so even in non root mode, users would be optionally able to forward connections from the firewall out to a wireguard endpoint of their choice. #52

@Raif1
Copy link

Raif1 commented Apr 4, 2022

@ignoramous any progress in the root mode firewall ? Afwall+ is kind of dead.

@ignoramous
Copy link
Collaborator Author

ignoramous commented Apr 6, 2022

I wouldn't say AfWall+ is dead, but rather there's nothing more to add nor remove (:

Re: RethinkDNS and root mode: We haven't started on it yet. It isn't hard to do what AfWall+ does, but it is fundamentally at odds with the kind of (app-oriented) firewall we have built. An interface exposing AfWall+ like rules (IPTables) and RethinkDNS like rules (app-specific) is likely to confuse not just the users, but us as well.

We keep looking for that finer balance (there are ideas for it in the OpenSnitch code-base), but it isn't trivial to do so, unfortunately. I am open to someone else coding down this path and willing to spend time with them on this on impl/design, as right now, and for some more months to come, our team is stretched super thin amidst rolling out a newer network-engine for the firewall, redesigning the UI of the app, and creating a paid version (similar to NextDNS or ControlD). Note though, the app will remain free and open source.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants