Rule activation in earlier boot stage

[kendon]

The firewall rules are applied only a certain amount of time after the device has booted up. Due to this, some apps, which are started before the activation of the firewall, can transfer data even though they are blocked in the firewall. This poses two problems:

Security: I use the firewall mainly for security reasons. I do not want apps to phone home if I do not allow it.

Data usage: when roaming or on limited budget this can eat through your budget pretty fast. During my recent holiday I bought a local PAYG/prepaid SIM, which was preloaded with 20 bucks of the local currency. Without a data plan (which I was about to buy) the rate is 1 buck per MB. When I finally got to buying the data plan my account balance was down to 8 bucks. Yeah, 4G was surprisingly fast, and in that short time frame between boot and rule activation the Amazon Appshop downloaded 12MB of some game. No drama, but unnecessary.

My idea was, since the phone needs to be rooted anyway, to provide some init.d script, which completely blocks communication until the firewall rules are implemented. This shouldn't be too hard, as it only needs a generic "deny all" statement which is activated during the boot process, and is later overwritten by the firewall rules.

[skullone]

I have looked into this in the past but decided against it due to the amount of devices where init.d wasn't functional. I will see what I can do though about adding it in a future update.

[Miwer]

Yeah not every phone supports init.d scripts. CM based roms should support it however. I'm using a CM10.1 based rom and I have a script called 00iptables in /data/local/userinit.d/

/data/local/userinit.d/00iptables

#!/system/bin/sh

iptables -N droidwall
iptables -I OUTPUT 1 -j droidwall -p all -s 0.0.0.0/0 -d 0.0.0.0/0
iptables -I droidwall 1 -j DROP -p all -s 0.0.0.0/0 -d 0.0.0.0/0

Init will launch it as one of the first things (due to the '00' prefix in the file name), before Android apps are started, and effectively block all outgoing traffic. When the device has completed booting, Android Firewall will flush the droidwall chain and insert the proper rules you've set.

[rmack]

A potential idea...

If the firewall could turn on Airplane mode when a reboot is initialized, and then turn it off after a device reboots; then this could potentially enable a work around for other apps gaining network access after a reboot.

Please note I haven't investigated if Airplane mode actually prevents any network traffic upon reboot at this time, so this is just a hypothesis of mine.

Currently I do this manually.

1. Select Airplane mode
2. Reboot device
3. Wait for the firewall to start up
4. Turn off Airplane mode

[kendon]

@skullone: you could make the app check whether some sort of init.d folder exists or not. I guess, I am no programmer :)

@Miwer: thanks for the script, I will use that for now. I actually was hoping someone would paste something so I wouldn't have to use my own brain to come up with a script ;)