0

There are couple of Android firewall apps in the wild, for instance AFWall. It manages iptables rules. Usually for client devices, admins set the default policy for the INPUT chain to block, but when I set that policy for the chain, the network connection breaks. What's the cause of such behavior? Shouldn't it just block incoming connection from the network to the phone? Is it secure to leave the accept policy for the INPUT chain, and hence to allow any device in the network to connect to the device unconditionally?

Mikhail Morfikov
  • 353
  • 4
  • 16
  • Blocking everything in INPUT chain? It doesn't make sense. At least allow connections with --state ESTABLISHED,RELATED to get reply back for outgoing connections. – Irfan Latif Sep 25 '21 at 09:21
  • Even if you only transmit data in outgoing direction using TCP, the TCP protocol requires to send status messages in both directions e.g. to acknowledge received packages or request packages that have been lost on in transmission. Therefore if you block all incoming traffic you also destroy the functionality of TCP. You could then ony use unreliable UDP protocol for sending data. – Robert Sep 25 '21 at 10:23
  • @IrfanLatif I didn't say to block everything, I said to set the default policy of the INPUT chain to block. You have rules, at least they should be added via AFWall, to allow apps to receive connections including the ESTABLISHED ones. So only the phone was able to initiate connections. But try to set the INPUT policy to block, and you won't be able to even send a ping to remote server from your phone, which is really weird, – Mikhail Morfikov Sep 25 '21 at 18:39
  • And are you sure that the default rules created by Android framework are not blocking your connections: https://android.googlesource.com/platform/system/netd/+/refs/tags/android-11.0.0_r1/server/Controllers.cpp – Irfan Latif Sep 25 '21 at 20:01
  • @IrfanLatif, I don't know, that's why I'm asking. In AFWall, I allowed some example app to be able to connect to the WiFi -- this works well. In the AFWall settings, there's an option to set the default chains policy. When I set the default policy of INPUT to DROP, the example app is unable to connect to the internet. When I checked the rules in iptables, I can clearly see some packets are hitting the default INPUT chain policy (ACCEPT), and I wanted to prevent that. Every linux client I use has this policy set to DROP in INPUT (for security) and they work well. – Mikhail Morfikov Sep 25 '21 at 21:52
  • I think I found it. Basically there's no filtering rules set in the INPUT. There's only bw_INPUT and fw_INPUT custom chains. The first one is for bandwidth control (limit LTE), and fw_INPUT is empty. No other rules in the INPUT. So when I set the default INPUT policy to DROP, it blocks any connection. So it looks like the ESTABLISHED rule should be added. It's weird it's not there by default. What worries me even more, Android devices has no FW at all... – Mikhail Morfikov Sep 25 '21 at 22:23
  • Being behind a NAT or CGNAT gateway is in itself a protection, though not of a firewall grade. Mobile phones aren't very likely to be accessible from internet: https://android.stackexchange.com/a/205807/218526, but on a local WiFi network they are exposed to local hosts. – Irfan Latif Sep 26 '21 at 01:25
  • I know, but it should not allow any incoming connection to the device. – Mikhail Morfikov Sep 26 '21 at 17:18

0 Answers0