are there any hints that messengers can bypass AFWall+?
What happens to me:
Messengers like Whatsapp and Signal very often try to connect even if not started. So far perhaps not new.
But though I block them from time to time in AFWall+ if not in use I can see connect requests like „e1.whatsapp.net, e6.whatsapp.net etc., sometimes g.whatsapp.net or v.whatsapp.net“ or for Signal
„text secure-service.whispersystems.org“ in Adaway and even in Phiole.
Sometimes AFWall+ logs reports these apps have been blocked, but obviously they have passed and are displayed in Pihole anyway.
Similar issues happen when the messengers have been started but still are unchecked in AFWall (for testing purposes) so should be blocked further.
Both are in installed in personal and work profile (by Shelter) but are used out of the work profile only.
AFWall last version, OS Lineage 16.0.
a) check IPv6 support (under AFWall+ Preferences → Rules/Connectivity)
b) check if AFWall+ has Wi-Fi, LAN, Roaming, VPN, Tor control enabled (depends on your use case)
c) check if “Active rules” (apply firewall on every connectivity change) enabled
d) the experimental “Fix startup data leak” may also be of interest, if you reboot often
e) just Shelter’s fault / limitation
f) …
EDIT:
I assume that you have “Experimental → Dual Apps Support” enabled
Except IPv6 support everthing has been checked already.
Checking IPv6 in addition didn’t change anything.
I don’t think it’s a fault of shelter. Testing Whatsapp, Signal and Threema in the personal profile yields the same.
So until disproof it seems that these messengers at least do bypass AFWall+ - Signal and Threema by background activity already, Whatsapp mostly after user access - though being unchecked in AFWall+. AFWall logs are confusing about these issues, sometimes reporting Whatsapp and Signal in particular beeing blocked a lot of times, sometimes displaying no reports while the app requests again are slipping by.
So what’s really going on there?
It looks like you’ve only set the firewall rules for the messenger in your unsheltered “Main” profile.
To support the “Work” profile in AFWall, you need to enable the support in Settings->Experimental->“Dual Apps Support”.
Sheltered apps will appear on a separate line in AFWall with a followed “(M)” in its name.
Depending on the version you use an app may use gcm/c2dm (google cloud messaging) , usually visible on port #5228 tcp to wake up/Receive data ocassionally. This shouldn’t be the case if you use an app version without play services ,e.g. Telegram foss “can” be blocked by afwall+.
Thanks a lot for all replies.
@ unique:
As I mentioned already in reply to fd-fan above all options have been checked except IPv6 support which I have checked meanwhile too.
So "Settings->Experimental->“Dual Apps Support” has been activated of course.
Oh yes, fd-fan you have been quite clear!
New idea for me! But what does it mean? Isn’t Signal FOSS too? But it’s the one of the 3 messengers passing by AFWall at most while unchecked in AFWall.
Or does it depend on where to get the apk-file - Google Playstore or Signal website?
Threema and Whatsapp would be out of topic then if being FOSS is the sticking point of course.
But frankly speaking it looks surprising for me AFWall being unable to contol the net access of these apps.
