Uid 1001 phone blocked the connection. about pcapdroid HOT 14 CLOSED

DNS traffic from Phone/Unknown is now automatically allowed, whereas other connections from such apps are still blocked. The fix will be available in the next PCAPdroid release. You can test it with the beta APK https://pcapdroid.org/fdroid/repo/PCAPdroid_1.6.5-958fc6a.apk (to use the firewall, install it along with the official PCAPdroid app).
Please confirm that the fix works correctly for you.

from pcapdroid.

Hi, if you manually add this Phone app and the Unknown app to the whitelist, does it solve the issue?

from pcapdroid.

Hi, if you manually add this Phone app and the Unknown app to the whitelist, does it solve the issue?

Yes, it will solve the issue, but I want to block them.

from pcapdroid.

DNS traffic from Phone/Unknown is now automatically allowed, whereas other connections from such apps are still blocked. The fix will be available in the next PCAPdroid release. You can test it with the beta APK https://pcapdroid.org/fdroid/repo/PCAPdroid_1.6.5-958fc6a.apk (to use the firewall, install it along with the official PCAPdroid app). Please confirm that the fix works correctly for you.

It fixed, thank you.

from pcapdroid.

Thanks for reporting

from pcapdroid.

DNS traffic from Phone/Unknown is now automatically allowed

Is this just about the apps in Whitelist by default? Such as #376
Or have you changed some global rules?

from pcapdroid.

It's a global rule, see 958fc6a#diff-8f7802a1b248c0ddceaa307427717ccd8a74ba8d0bd1062b2faad276eea76a66R334

from pcapdroid.

It's a global rule

In Whitelist mode?

from pcapdroid.

see 958fc6a#diff-8f7802a1b248c0ddceaa307427717ccd8a74ba8d0bd1062b2faad276eea76a66R334

Do I understand correctly that DNS traffic from NETD, PHONE and UNKNOWN is always allowed?
Then this is a very bad idea and this means that uncontrolled traffic in whitelist mode is possible.
Okay, if there is some kind of default app whitelist that can be cleared. But if there are global rules that cannot be influenced in whitelist mode. This is clearly wrong.
Which I really haven't noticed yet :)
It's better to at least add these uids to the default whitelist. So that they can be excluded.
Receiving DNS addresses can be configured via your own local server in order to exclude external DNS connections. And here you are with your global rules ;)
The enabling of a whitelist mode initially implies that a person first wants to get a complete absence of any traffic. And only then add exemptions.
In general, any global firewall rules that cannot be reconfigured are very bad.
Don't act like Google: give users the opportunity to choose and reconfigure ;)

from pcapdroid.

This is the best we can do with the current Android implementation, because there is no way to know which app performed the DNS request, so blocking netd will disrupt all the apps who rely on it. In any case, let's say you want to block a specific app, only the DNS request will succed (which alone is useless), any subsequent TCP/UDP/ICMP traffic from the app will be blocked, so this function in essence works as you would expect (no big surprises).

from pcapdroid.

which alone is useless

In what sense?
If there is a need to block all DNS connections with a guarantee then will your global rules definitely not prevent this?
So far, I haven't seen DNS leaks (as opposed to Rethink leaks) but these global rules raise very big doubts about their impossibility.
That's why I suggest moving all global rules to a custom user settings.
Let them be the default but so that can turn on the whitelist mode to the maximum.
The whitelist mode should have a guaranteed option of not having any connections.

from pcapdroid.

And I was also interested in the line
data->to_block = !blacklist_match_uid(pd->firewall.wl, data->uid);
Maybe it's better to rename blacklist_match_uid to list_match_uid ;)

from pcapdroid.

This does not makes to me, so I will not implement it

from pcapdroid.

so I will not implement it

Perhaps you don't need to implement anything.
But to understand this, you need to at least have time to discuss rather than quickly adding global rules to save your time ;)
Merry Christmas :)

from pcapdroid.