Firewall may be shouldn't block all TCP and UDP conns

[ignoramous]

The firewall mode shouldn't block localhost TCP and UDP.

May be it also shouldn't block connections on the private IPv4 (v6 isn't supported) space? May be it should.

Interestingly, some folks want to block all LAN traffic. So, that should be an option too?

Discuss.

[ignoramous]

Case in point?

08-16 08:10:03.576 23934 23934 E chromium: [0816/081003.575374:ERROR:elf_dynamic_array_reader.h(61)] tag not found
08-16 08:10:03.584 15668 16890 E GoLog   : [0816/081003.575374:ERROR:elf_dynamic_array_reader.h(61)] tag not found
08-16 08:10:03.594 15668 16867 F libc    : Fatal signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x31f000001b9 in tid 16867 (Thread-24), pid 15668 (elzero.bravedns)
08-16 08:10:03.736  2152  2152 E ndroid.systemu: Invalid ID 0x00000000.
08-16 08:10:03.797 23937 23937 I crash_dump64: obtaining output fd from tombstoned, type: kDebuggerdTombstone
08-16 08:10:03.800  1259  1259 I /system/bin/tombstoned: received crash request for pid 16867
08-16 08:10:03.802 23937 23937 I crash_dump64: performing dump of process 15668 (target tid = 16867)
08-16 08:10:03.809 23937 23937 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
08-16 08:10:03.809 23937 23937 F DEBUG   : Build fingerprint: 'OnePlus/OnePlus6/OnePlus6:10/QKQ1.190716.003/2005052051:user/release-keys'
08-16 08:10:03.809 23937 23937 F DEBUG   : Revision: '0'
08-16 08:10:03.809 23937 23937 F DEBUG   : ABI: 'arm64'
08-16 08:10:03.809 23937 23937 F DEBUG   : Timestamp: 2020-08-16 08:10:03+0530
08-16 08:10:03.809 23937 23937 F DEBUG   : pid: 15668, tid: 16867, name: Thread-24  >>> com.celzero.bravedns <<<
08-16 08:10:03.809 23937 23937 F DEBUG   : uid: 10421
08-16 08:10:03.809 23937 23937 F DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x31f000001b9
08-16 08:10:03.809 23937 23937 F DEBUG   :     x0  0000006f1a6ea600  x1  0000000000000000  x2  00000040004bfea0  x3  0000000000000003
08-16 08:10:03.809 23937 23937 F DEBUG   :     x4  0000000000000160  x5  0000004000297e90  x6  000000700c853000  x7  0000000000f421c2
08-16 08:10:03.809 23937 23937 F DEBUG   :     x8  0000006f1a7aac14  x9  000000000000000c  x10 0000000000000002  x11 0000000000000030
08-16 08:10:03.809 23937 23937 F DEBUG   :     x12 0000000000a56b80  x13 00000003e8000000  x14 00044460ac096168  x15 0000a507849446f3
08-16 08:10:03.809 23937 23937 F DEBUG   :     x16 000000700870f8f0  x17 0000007008701070  x18 0000006ec0bea000  x19 0000006f1a6ea600
08-16 08:10:03.809 23937 23937 F DEBUG   :     x20 0000031f000001a4  x21 0000006f27239aa0  x22 0000006f27239ab0  x23 0000006f1a7aaa00
08-16 08:10:03.809 23937 23937 F DEBUG   :     x24 0000006f27239aa0  x25 0000006f26d1d394  x26 0000000000000000  x27 0000000000000010
08-16 08:10:03.809 23937 23937 F DEBUG   :     x28 0000004000182900  x29 0000006ec2837b90
08-16 08:10:03.809 23937 23937 F DEBUG   :     sp  0000006ec2837b70  lr  0000006f26d16418  pc  0000006f26d197b4
08-16 08:10:03.809 23937 23937 F DEBUG   :
08-16 08:10:03.809 23937 23937 F DEBUG   : backtrace:
08-16 08:10:03.809 23937 23937 F DEBUG   :       #00 pc 00000000005d47b4  /data/app/com.celzero.bravedns-S0OlU-rPT9myMvnoLKv6fQ==/base.apk (offset 0xb000) (tcp_process_refused_data+32)
08-16 08:10:03.837   728 23940 E ResolverController: No valid NAT64 prefix (377, <unspecified>/0)
08-16 08:10:03.837   728 23941 E ResolverController: No valid NAT64 prefix (377, <unspecified>/0)

[ignoramous]

#65 does something as crude.

[4-FLOSS-Free-Libre-Open-Source-Software]

The firewall mode shouldn't block localhost TCP and UDP.

by default safely exclude
[::1]/128
127.0.0.0/8

May be it also shouldn't block connections on the private IPv4 (v6 isn't supported) space? May be it should.

Discuss.

To not break things by default broadcast and multicast & mdns?
224.0.0.0/4
for DLNA/wifidisplay/airplay/chromecast/spotify/IoT devices/ wifi vacum robot/ own router webinterface / etc. and only exclude subnet of active wifi and private 169.254.0.0/16 yes, but not all /intranet ranges.

[ignoramous]

See: https://github.com/tailscale/tailscale/blob/c6d3f622e9b52d226232a1dbc5b56f61b2ba5bf9/ipn/ipnlocal/local.go#L998-L1015

And: https://github.com/M66B/NetGuard/blob/master/app/src/main/java/eu/faircode/netguard/ServiceSinkhole.java#L1276-L1353

Also: ViRb3/wgcf#42 (comment)

[ItsIgnacioPortal]

It would be good if apps could be individually granted LAN access, instead of it just being a global switch like NetGuard does.

[ignoramous]

That's an interesting suggestion.

So, a global / universal rule like Block all LAN IPs

And then, per individual app, you'd trust / allow LAN IP subnets?

[ItsIgnacioPortal]

And then, per individual app, you'd trust / allow LAN IP subnets?

I don't see much of a point in allowing only specific subnets. I think it should be an ON/OFF switch, per app