Grey Shirts NoRoot Firewall for ANDROID

Discussion in 'other firewalls' started by FOXP2, Oct 25, 2013.

  1. Techwiz

    Techwiz Registered Member

    Joined:
    Jan 5, 2012
    Posts:
    541
    Location:
    United States
    True, security and privacy is a battle that can't be won. It's going to be a ongoing battle, but I think every step we take goes a long way in making it a bit harder for some groups like companies. For example, I don't store my contacts on my phone in simple plain-text. Instead, I use kee-pass to store sensitive information. Ideally, it would be better to have a removable SD card, so you can keep this stuff off the device until needed. Then connect your card on a case-by-case basis. Regardless of how one feels about privacy, there are valid reasons to make every effort to secure your data and device as much as possible. You should be working to mitigate your attack surface area by removing apps you don't need on your device, blocking potentially malicious ads, etc. You can never eliminate risk complete. At best you can mitigate it. I don't disagree with you though, we already know from prism, wikileaks, etc. that persistent threats will find a way to track you and/or access your device (Carrier IQ, DROPJEEP, motion sensors (used for key logging), etc.). It just continues to escalate. Either abandon modern society and technology or manage what you have as best you can. Some are better suited than others in this regard. The average user just isn't going to fair well if things escalate. I'm under no illusion that I wouldn't fair much better either. Even on my desktop, there are limits to what I can do.
     
  2. FOXP2

    FOXP2 Guest

    GSNRFW's functionality is that of an old-school packet firewall with no comparison to what is now, in the desktop universe, the IP or domain blacklist/HIPS/IDS/BB "firewall" with Allow-or-Block-only popups for applications not in a local and/or cloud database of trusts.

    So, in terms of enhancing privacy in a device as manifold as a smart phone or tablet, it has very limited value. What you're seeking needs to be done by several other available Apps - most universally sans firewall.

    As I related in #18, I've built for various Apps anywhere from two to six rules blocking other ports in high well-known and registered and one way up there in private. And I'm not talking about the likes of ports 82, 8080, 1935 or 843. The Apps themselves run just fine on ports 80 and 443, so whatever's going on downstream through those oddball ports, it's not going on with my account or device. Privacy? Could be.

    Similarly, I've effectively blocked unnecessary connections to IP ranges in google's 1e100 network. Whatever auditing is done on those servers, my account and device have no influence. Privacy? Somewhat.

    To really dig into this we'd need a Sysinternals Process Monitor for Android. The (not quite) closest I've found is eolwral's OS Monitor.

    My experience with Android to date is with WiFi on a stock KitKat Nexus 7 2013 and a rooted, generic and so sloooooooow 4.0.4 Allwinner A13. I'm still waiting on a Smart Phone that animates the geek in me.

    But IMHO anyone with a Smart Phone, from the perspective of privacy, should consider themselves as equivalent to standing naked on a busy city street corner surrounded by CCTVs and snoops from all commercial and government sectors breathing down your neck. And paying good money for the privilege. Heck, there's even some of that with my trusty flip-phone; no nakedness, thank the gods.

    But getting back to this firewall... at the very least, it's just way too much fun. :D
     
  3. TasticToo

    TasticToo Registered Member

    Joined:
    Feb 12, 2014
    Posts:
    3
    Location:
    Australia
    I'm new here, so my apologies if there is some sort of strict protocol about staying exactly within the scope of the thread title.

    But I am interested in using this 'Grey Shirts NoRoot Firewall' app on my Note 3 (N3) when it is both 'unrooted' and 'rooted', i.e., if possible I want to find a single Firewall app that works in both states.

    I'm still finding my way with my new N3, but after flashing a stock ROM I believe my previously 'rooted' N3 becomes 'unrooted' again and I have been using it that way, i.e., some of the time I will be using my N3 'unrooted'.

    But I will also rooting it again so I can use custom ROMs, apps that only work when 'rooted', and to be able to backup using ClockworkMod/Nandroid.

    So, I am interested in how 'Grey Shirts NoRoot Firewall' works on 'rooted' as well as 'unrooted' phones.

    Is that topic OK here, and if so can anyone advise please?
     
  4. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,570
    It works fine on a rooted nexus 7 and 10.
     
  5. Techwiz

    Techwiz Registered Member

    Joined:
    Jan 5, 2012
    Posts:
    541
    Location:
    United States
    I can't speak for compatibility, thanks ellison64, but wouldn't it make more sense to go with something that has a bit more functionality since you'll be rooting your device? Anyways, to answer your question it should offer the same level of protection rooted or otherwise. The only inherent risks that comes to mind would be:

    - inherent vulnerabilities in the custom ROM, kernel, etc. which goes beyond the scope of this application.

    - flaws in the VPN functionality for could undermine the effectiveness of this application to perform as expected.

    - any risks inherent to leaving your device rooted. Beyond my current knowledge, so best consult someone more knowledgeable.

    - preexisting infection, back-doors, etc. fall somewhat outside the scope of this application. You can't block what you are unaware of and this isn't going to block a non-application from wrecking havoc.

    But these would persist regardless of whether you used this application or not. The only negative to this application is it ties up the VPN and doesn't take advantage of root.
     
  6. TasticToo

    TasticToo Registered Member

    Joined:
    Feb 12, 2014
    Posts:
    3
    Location:
    Australia
    Thanks Techwiz. What Rooted-Firewall do you have in mind that has more functionality?

    What additional functionality?
     
  7. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    517

    I've found that vpn services automatically shut down NoRoot FW. VPN services in question are : HideNinja VPN and Hotspot Shields.

    Edit : Just read in this thread that NorootFW is based on establishing a "fake" VPN connection, hence an additional VPN service (real one!) won't work.
     
  8. TasticToo

    TasticToo Registered Member

    Joined:
    Feb 12, 2014
    Posts:
    3
    Location:
    Australia
    Yes I'm finding that Grey Shirts NoRoot Firewall is being shut down (I guess by VPN conflict) too frequently to be a reliable FW.

    So, I'm now looking for the best ROOTED-Android Firewall.

    Is there a thread here anyone can recommend that discusses ROOTED-Android Firewalls?

    A good contender seems to be AFWall+
     
  9. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,726
    I'm trying to import this urlfilter.ini into global filters, but gets "invalid format" all the time... WTF is its proper format?

    *Can someone give me a recent list of the most popular as domains, or share their filter rules? Thanks.
     
    Last edited: Oct 23, 2014
  10. FOXP2

    FOXP2 Guest

    I rooted my Nexus 7 2013 upon its 1-year warranty expiration and, as others have noted, GSNRFW continues to operate without issue. I don't use anything else needing VPN so my experience with this firewall has been positive and absolute.

    To the best of my research all the firewalls for a rooted Android device are strictly allow all or block all outbounds for apps. Simply an on/off switch for networking.

    GSNRFW is the only one that offers a decent, or any, rules architecture.

    I really like this Wikipedia Browser but I really hate the connectivity it evokes. All of those high ports connected to China at the time I initially blocked them. Every now and then I have to add another. Further, the only port 80 connection needed is to the Wikimedia domain itself. Links within the Wikipedia to external data require the 443 connection to Google's 1e100 network, so I allow it. It's Google, it's 443, what can go wrong? :isay: But for Wikipedia-only content, it's not necessary.

    That app is just my favorite example. In fact, most of my apps are set to allow only ports 80 & 443 and more than a handful are set to allow somedomain.com:80 with *:80 and *:443 blocked. Things like Android System, Google Play, etc. get full access, of course, while Roulette, Mahjong, etc. are blocked as there is no reason whatsoever for those to connect out (I don't game online). Even many utilities, i.e. History Eraser, that want to connect don't need to - so, blocked.

    If there's anything else for teh droid that can offer that, I'd like to hear about it.

    Cheers.

    FW.jpg
     
    Last edited by a moderator: Oct 23, 2014
  11. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,726
    Interesting whitelisting, but it wouldn't fit my browsing pattern. I would love to have an up-to-date blacklist of the top 50 or so ad networks. Can someone please provide that? Thanks.

    *Found this, but it's not working at all: http://appflood.com/blog/list-of-mobile-ad-networks-february-2013

    *I tried pre-filter, post-filter, WiFi, 3G, rebooting device, etc. Still does not work.
     
    Last edited: Oct 23, 2014
  12. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,685
    @J_L
    Maybe LostNet NRFW will suit your needs.
    But note this FW tracks you via google-analytics & google tagmanager, at least in free version.

    I'm using Gray Shirt's one, but it has some limitations.
    -Doesn't monitor UDP
    -Doesn't support reverse DNS
    -Doesn't have import/export option

    Dr.Web(paid) has NRFW and can monitor UDP, also has import/export, but it's porblem is it's not interactive.
    You have to look into logs to make correct rules.

    Once Gray Shirt participated in a Japanese security forum and he was quite nice guy, quick to respond for our request.
    But sadly enough he disappeared, probably because some trolls started to attack him.
    Since then I haven't seen him anywhere, and there's no update for almost a year.
     
  13. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,685
    BTW for those who use NRFW mainly for ad (or any ohter unwanted connection) blocking, FilterProxy is also good choice.
    It's more like Proxomitron, works as local proxy and you can block any http/https connection.
    Furthermore, you can make whiltelist with referer specification, make redirect rules, and modify http headers.
    It also has import/export and is maintained continuously.
    Note if your home network doesn't support IPv6, you may have problems when you try to connect to certain site, such as Google.
    Some apps don't use system proxy setting, so if you want to control all apps you can combine FP with NRFW.

    [EDIT] Kaspersky mobile security use local proxy for web protection in wifi, so those who use Kaspersky have to disable web protection if you want to use FP.
     
  14. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,726
    For WiFi, I already have FoolDNS. I need a non-root solution for data. I will try LostNet later.

    *What do you know, it seems to work! Although I lose some granularity, thanks for the suggestion.

    *Oh and I manually disabled notifications cause it was annoying. Will that affect it's background usage?
     
    Last edited: Oct 24, 2014
  15. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,685
    Good to hear it works for you!;)

    I haven't used pro version (disable notification is only for pro, but possibly you mean you went to Android's settings>application>LostNet and unchecked notification?), but I think as long as there's big sun icon in notification bar which says it's using VPN, you're okay.
    Just remember in case of false blocking, you can't know it from notification.
     
  16. FOXP2

    FOXP2 Guest

    I had corresponded with Grey in July inquiring if GSNRFW will be OK with ART once Dalvik gets scrapped in L. He replied he hadn't tested it yet and that he was working on performance tuning and rewriting the core. (Off thread: I'm kind of not concerned with ART anymore as the main reason I rooted my Nexus 7 2013 was to shut down the system update which seems to be more involved than I had realized in KK 4.4.4; I've only been at it a few days, tho. I've read the reviews and seen the screenshots: I do not want L.)

    I've often wondered by someone hasn't yet come up with a nice GUI for iptables which would work on rooted devices only.

    I don't know too much about the nuts and bolts of VPNs, but it seems that it allows a bunch of control which can be accessed under the hood regardless of rootedness.

    Primarily, the strategy I've repeatedly and amply expressed and illustrated here is I want to block connections to ports other than 80 & 443 and thereafter to domains and IP addresses/ranges I deem unnecessary or suspect as malicious or annoying (ads) to the apps' functionality should the very simple total allow or block be undesirable. So far, nothing meets that requirement or presents the user experience and interface of GSNRFW.

    (Off thread again, sorry: All of this why I still revere my best-ever flip phone LG VX8300 (on pageplus Mobile) going on seven years tho I'm thinking of a Samsung Convoy 3 purchase next year. That's not to say WiFi slabs don't rock.)

    @J_L
    "I would love to have an up-to-date blacklist of the top 50 or so ad networks."
    Get in line. It forms to the right and ends back there just beyond the horizon. ;)
    1e100 (Google) ads are farmed out from port 80 74.125.224.* that will kills LOTS of ads. But the just the fact there's a year and a half old list of merely the "top 50" ad platforms should tell you it's approaching a Lost Cause in a battle akin to the one ongoing waged by the Adblock Plus community. Having a filter for, say, admob.com won't be 100% effective. The majority of ads I've blocked in apps are IP rules as the addresses didn't resolve to any host and it was via whois that I determined they were ad farms. I've speculated that whether or not admob (and others) farms out from one of their domain subnets or a specific IP address/range probably depends on the level of service one buys.

    @Yuki2718
    LostNet looks very interesting and just might free me from the drudgery of un-exportable rule sets. I'm going to poke at that, for sure. Thanks!
    I had looked at the proxy solution, but it requires a pre-knowledge of what one would want to block. Unlike GSNRFW, there wouldn't be notification for fooNewSubnet/foo2/foo.com for foo2pattern/foo.com where one would not want to filter fooPattern/foo.com or all of foo.com. For that rule set I posted above in #35 I would get an alert for a connection to port 10085. FilterProxy is impressive, high administration and, by virtue of proxy, overwhelming; where in GSNRFW I have 100's of rules, filter proxy could range into the thousands. But one could import into FilterProxy an up-to-date blacklist of the top 50 or so ad networks once J_L gets it for us. :D

    Hmmmmmmmmm... On my desktop lostnetsoft.com is wanting to connect to my LAN:
    log cut&paste: firefox.exe, 192.168.0.104, 80, 192.168.0.8, 49738, TCP, Sent,
    (That's denied in my NIC settings and outside of my static IP range in the router config, fer sure.)

    Cheers.
     
    Last edited by a moderator: Oct 24, 2014
  17. FOXP2

    FOXP2 Guest

    As a point of interest, here's the rule set I've had to create for Chrome. Chrome likes to run for itself in the background even if you're not using it. Force stop it in Apps settings, (clear the system apps cache,too), and it'll just up and and start running again at some random point in operation and make a bunch of connections to 1e100 (443 and 80) and barefruit.co.uk. And that happens every time, all the time that the Chrome process starts up. Now I block it and remember to use Custom for the occasional instances I use a browser.

    Persistent barefruit.co.uk on 80?? I think NOT. :cautious:

    BTW, blocking those high ports zapped lots of ads. 9000 and 9090 are very popular.

    Mirth.

    Khrome.jpg
     
    Last edited by a moderator: Oct 24, 2014
  18. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,726
    @Yuki2718 Thanks, and yes I disabled it via android settings. Seems to work fine as long as the VPN key icon is there indeed.

    @FOXP2 Not sure if blocking IP addresses work, but since domains don't, I doubt it. Hey the year and a half list was more dfficult to find than you think. I won't be able to list the top as networks without turning on statistics in unlock and visiting the most popular websites. Too lazy for that lol.
     
  19. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,726
    I noticed disconnection from the internet after ~5 hours of usage. Opening the programming would freeze and I have to force close. Re-enabling notifications to see if that was the cause. Too bad I have a game I like phoning home every hour.
     
  20. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,685
    @J_L
    Sorry that you had serious issue.
    FWIW, these are known issue reported in that Japanese forum though they're about Grey Shirts one,
    -There're some devices which can't go along with NRFW.
    -There're some apps which can't go along with NRFW including Skype, basically they're VoIP/SIP apps.
    -In some devices, NRFW conflicts with tethering.
    And of course you can't use 2 apps that use VPN dialog at once.
    Sorry I can't help you more than this.
     
  21. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,726
    Still happens, and I'm not alone according to play store reviews. Guess I'll try NoRoot Firewall again...

    *Still the same. And Mobiwol is lacking such features. What's left?
     
    Last edited: Oct 26, 2014
  22. FOXP2

    FOXP2 Guest

  23. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,685
    If you don't want to root your phone, not many options laft unfortunately.
    One idea is using FilterProxy only for 3G/LTE, since you have FoolDNS on wifi.
    Yeah, you have to add filters manually but as it accepts import/export with XML format, it's relatively easier.
    But I don't recommend to add hundreds of domain as it will cause much slowdown. Keep filters from about 50 to 100, though it depends.

    If your concern is only when you browse, you can use firefox with ABP/ABE and/or Noscript, and there're some other browser which have ad-blocking.

    Another way is not recommended but SRT Appgurad can block each connection by each apps.
    It embeds monitoring module to guarded apps so you can strip each permission and even restrict connection and/or access to media storage without root.
    However this app is out of Playstore so you have to check/uncheck "Unknown sources" every time when monitored app or Appguard itself need update.
     
  24. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,726
    Never knew FilterProxy works for 3G/LTE, thanks. I'll definitely consider that if LostNet really becomes a problem.

    I'd like to keep using Chrome and have browsing data synced.

    Sounds really complex, maybe as a last resort.

    *Yes it became a problem. Try NoRoot one last time, IP address and custom filters on Chrome, still failure. Going to use Mobiwol and FilterProxy with my first link. Then add filters as I go.
     
    Last edited: Oct 27, 2014
  25. Techwiz

    Techwiz Registered Member

    Joined:
    Jan 5, 2012
    Posts:
    541
    Location:
    United States
    I'm giving FilterProxy a test run to see how I like it. So far, liking it since it runs a lot lighter than GreyShirt's. Still reading through the tutorial, but will have to wait and see whether this is a keeper. As for GreyShirt's, I've been adding domains for the more popular ad services and any I don't recognized, I reverse lookup and decide whether to block or allow. I've done for each of the applications that I'm monitoring. I've also disabled access to memory storage, camera, etc. But I like to see that we have more activity on the mobile end. I'll look at LostNet. The use of goggle-analytics is a deal breaker for me.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.