I have heard good things about this one. But i think this one of those no root firewalls that uses the vpn, so I figure this means I can't use a VPN at the same time.
An alternative android root only option is afwall+ which allows blocking on lte, WiFi, lan, and VPN separately, and script access to iptables. Not sure how actively developed it is, but it seems to work ok.
*edit: Seems to still be active, open source, and available on fdroid too.
Netguard is fantastic, although it takes a while to get a safe setup working. I'm blocking traffic by default and get to see all the blocked connection attempts - the extent to which apps transmit data to various parties is depressing. Netguard should be a standard OS feature.
I didn't want to pay without testing the features first, so I have rebuilt the app (it is opensource) with Pro enabled, so I guess that's an option if you want to avoid payment. Updates are a problem then though. Once I tested it I gladly paid (more than requested) to support the development. I never got around to reinstalling it though, so I'm still on an older version.
NetGuard is simply awesome. The piece of mind when I know which servers the apps are contacting, and being able to block their access to the net by default, is just great. The rules could be made a bit more easily adjustable (it would be nice if I could block `*.firebaseinstallations.googleapis.com` everywhere, even if other traffic is allowed for the app), but I'm just nitpicking now. Highly recommend it.
"You can get all current and future NetGuard pro features (including updates) without Google Play services for the GitHub or F-Droid version by a one time donation of € 0.10 or more. If you donate 7 euros or more, you can activate the pro features on all Android devices you personally own, else you can activate the pro features one time only."
Sadly all real firewalls need root. I was using AFWall+ for a long time it has neat controls for every app to allow or deny Wifi, Cell or LAN (if you have). It is a iptables/nftables frontend so you can customize the rules to your heart's content: https://github.com/ukanth/afwall
Works from Android 2+
Without root only VPN solutions like Adguard are available.
EDIT: if you want neat stats: Glasswire has an Android version. I have only used the beta so I have no idea about its current state. Might be worth checking out though.
I thought parts of the Android OS can by-pass the VPN so the firewall becomes ineffective against blocking Google, OEMs, and others that have root. Wouldn't the VPN API being used as a firewall also prevent one to use a VPN client at the same time?
> In my experience the "block all non VPN traffic" options in Android don't work reliably. iptables does however.
Both (iptables/nftables and VPN APIs) have to be enforced by the Linux Kernel, which is subject to the same "Androidisms", if that makes sense.
root, in fact, opens up a gaping hole in that, it totally compromises Android's security model. IMO, it isn't worth to root Android just to run iptables (just because it seems like iptables is what makes a firewall).
IMHO Android's security model is incredibly flawed anyways. I don't even need root to access stuff I shouldn't have access to on my Mediatek based phone because the firmware has tons of gaping security holes anyways.
I think device you don't have root on isn't really yours and should be treated as a lease.
But you are right, when Wifi/Data is on at boot even the -tables might not get updated fast enough so stuff might get through.
I really like Rethink DNS.
I have learned many things from watching it (such as I think Signal is compromised by some five-eyes "crossing the border" fuckery.)
I agree with the first sentence. I cannot even begin to comprehend what semantics you were trying to convey with the second sentence however. I am also lacking all context to be able to understand (compromised in what sense, by whom and to what degree? which border? what is "fuckery" defined as?).
I appreciate you trying to add to the discussion but in this case you leave me with way more questions than I started out with which I personally perceive as an unwanted mental overhead.
What I mean is by watching the IPs, I see a lot of cross-border ingress/egress when it shouldn't be necessary. It's not proof, but an indicator of probability to me, that echelon style mechanisms are being used.
If you are unaware of echelon and related programs, essentially, since it's illegal for the US (officially at least) to spy on it's own citizens without a warrant, instead they let an "ally" country like the UK spy on Americans and then "share the data", essentially another abuse of third party doctrine.
