On 07/24/2014 02:38 PM, Mike Cardwell wrote: > * on the Thu, Jul 24, 2014 at 08:01:53AM +0200, CJ wrote: > >> Just a small announce (not sure if this is the right ML, sorry). >> I'm developing an Android app allowing to block all IP traffic, and >> force only selected app through Orbot. >> This is done because neither Orbot nor AFWall (or other free, opensource >> Android iptables managment interface) seem to be able to do that??? > > One suggestion: Test this on a network which dishes out IPv6 addresses. > None of these Firewall apps seem to take IPv6 into consideration. So if > you wander onto a WiFi network which dishes out v6 addresses and then > one of your Apps tries to connect to a host which supports v6, like for > example Google or Facebook, then it will bypass your iptables rules. > You need to set up rules using ip6tables for IPv6 too. > > Also, make sure that the rules are applied prior to any network > connectivity coming up. >
Hello Mike, good point for IPv6 — it won't block it for now (no call to ip6tables so far, though it's already defined in the init-script). Regarding the early rule applying: the app currently installs an init-script with: - INPUT/OUTPUT default policy to DROP - first rule in INPUT/OUTPUT to REJECT I had to ensure there is no network at all — it seems some rules are pushed really early in the chains, especially for the quota managing thing. With this init-script, I ensure there is nothing IN nor OUT of the device until torrific is launched. Even Orbot can't connect, which may create some problems (and has created I think, though it's pretty unclear for now and not really reproducible :( ). Unfortunately, some android versions, such as 4.1.1, don't seem to support user init-script — meaning those may (and do!) send stuff on the network before torrific is up :(. After many tests on my nexus4, running 4.4.4, it appears the system tries to send at least 100 packages on the network before we can even use the device :). There's a warning regarding init-script support on the site, I really tried hard to make it work, but no luck so far :(. Also, most probably a ROM update will remove the init-script and torrific won't see that for now, I have to add some other checks. But the idea is here, at least :). … Knowing all is pretty useless on phone devices due to the closed baseband and GSM protocol is pretty annoying but, at least, we can do something in order to get a safer (if not "the safest") devices. Cheers, C. -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
