{"id":240,"date":"2025-06-21T10:55:52","date_gmt":"2025-06-21T10:55:52","guid":{"rendered":"https:\/\/www.fmidnight.com\/cyberdisk\/?p=240"},"modified":"2025-07-01T19:19:40","modified_gmt":"2025-07-01T19:19:40","slug":"datura-firewall","status":"publish","type":"post","link":"https:\/\/www.fmidnight.com\/cyberdisk\/datura-firewall\/","title":{"rendered":"Datura Firewall"},"content":{"rendered":"\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td>Software<\/td><td>Datura Firewall<\/td><\/tr><tr><td>Type<\/td><td>Application Firewall<\/td><\/tr><tr><td>Tag<\/td><td><a href=\"https:\/\/www.fmidnight.com\/cyberdisk\/tag\/security\/\" data-type=\"post_tag\" data-id=\"14\">Security<\/a>. <a href=\"https:\/\/www.fmidnight.com\/cyberdisk\/tag\/privacy\/\" data-type=\"post_tag\" data-id=\"16\">Privacy<\/a><\/td><\/tr><tr><td>Platform<\/td><td><a href=\"https:\/\/www.fmidnight.com\/cyberdisk\/category\/android\/\" data-type=\"category\" data-id=\"6\">Android<\/a><\/td><\/tr><tr><td>Privacy Rating<\/td><td>\u2b50\u2b50\u2b50\u2b50\u2b50<\/td><\/tr><tr><td>License Model<\/td><td>Free &#8211; Open Source<\/td><\/tr><tr><td>Links<\/td><td><a href=\"https:\/\/calyxos.org\/docs\/tech\/datura-details\/\">calyxos.org<\/a><\/td><\/tr><\/tbody><\/table><\/figure>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<figure class=\"wp-block-image aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"192\" height=\"192\" src=\"https:\/\/www.fmidnight.com\/cyberdisk\/wp-content\/uploads\/2025\/06\/datura.png\" alt=\"\" class=\"wp-image-64\" style=\"width:274px;height:auto\" srcset=\"https:\/\/www.fmidnight.com\/cyberdisk\/wp-content\/uploads\/2025\/06\/datura.png 192w, https:\/\/www.fmidnight.com\/cyberdisk\/wp-content\/uploads\/2025\/06\/datura-150x150.png 150w\" sizes=\"auto, (max-width: 192px) 100vw, 192px\" \/><\/figure>\n<\/div>\n<\/div>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Privacy Pros: Perfect app for blocking internet access of apps that try to phone home every 5 seconds.<\/p>\n\n\n\n<p>Privacy Cons: None<\/p>\n\n\n\n<p>Privacy Tips: If using a VPN, turn off all access to apps except through the VPN. This acts as a second failsafe on top of Always On and Global VPN. Also set app defaults to deny, so that new apps have to request access.<\/p>\n<\/blockquote>\n\n\n\n<p>The firewall could generally be considered to be composed of 3 layers for each of its features. A UI layer, the frameworks layer (see <a href=\"https:\/\/developer.android.com\/guide\/platform#api-framework\">https:\/\/developer.android.com\/guide\/platform#api-framework<\/a>), and the netd layer (see <a href=\"https:\/\/developer.android.com\/guide\/platform#native-libs\">https:\/\/developer.android.com\/guide\/platform#native-libs<\/a>).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"ui\">UI<\/h3>\n\n\n\n<p>This is the layer visibly exposed to users (toggles, text, \u2026). It is responsible for passing down information (global toggle switched or app restriction applied, in which case it sends the UID of the app and the policy or rule related to the feature) about a user\u2019s selection to the frameworks for processing.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"frameworks\">Frameworks<\/h3>\n\n\n\n<p>Responsible for the first level of processing (e.g. sanity checks, state machine, \u2026), managing the dynamics of a feature (e.g. app in background) and passing down the inputs to netd to apply policies and rules.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"netd\">Netd<\/h3>\n\n\n\n<p>At its core, the firewall makes use of standard Linux networking utilities to process traffic (see <a href=\"https:\/\/source.android.com\/devices\/architecture\/hidl\/network-stack\">https:\/\/source.android.com\/devices\/architecture\/hidl\/network-stack<\/a>). Netd is responsible for the last level of processing and calls the networking utilities, passing in the input for any operation.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"features\">Features<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"per-interface-network-usage-restrictions\">Per-interface network usage restrictions<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Code: <a href=\"https:\/\/review.calyxos.org\/q\/topic:data-restriction\">https:\/\/review.calyxos.org\/q\/topic:data-restriction<\/a><\/li>\n<\/ul>\n\n\n\n<p>On devices with Linux kernel versions 4.9 and below, this setting uses iptables to add an app to the INPUT and OUTPUT chains and limits its traffic based on the specified incoming and outgoing networking interface. On devices with Linux kernel versions higher than 4.9, the bandwidth restrictions make use of eBPF instead of iptables (see https:\/\/source.android.com\/devices\/tech\/datausage\/ebpf-traffic-monitor)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"per-app-network-isolation\">Per-app network isolation<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Code: <a href=\"https:\/\/review.calyxos.org\/q\/topic:network-isolation\">https:\/\/review.calyxos.org\/q\/topic:network-isolation<\/a><\/li>\n<\/ul>\n\n\n\n<p>On devices with Linux kernel versions 4.9 and below, this setting uses iptables to add an app to the firewall isolated chain (which is referenced in the firewall INPUT and OUTPUT chains). On devices with Linux kernel versions higher than 4.9, the bandwidth restrictions make use of eBPF instead of iptables (see https:\/\/source.android.com\/devices\/tech\/datausage\/ebpf-traffic-monitor)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"background-network-access-restrictions\">Background network access restrictions<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Code: <a href=\"https:\/\/review.calyxos.org\/q\/topic:background-data\">https:\/\/review.calyxos.org\/q\/topic:background-data<\/a><\/li>\n<\/ul>\n\n\n\n<p>This setting adds an app to the penalty box iptables chain. On AOSP, this chain can be reached via costly interface chains (metered networks, which mobile data and VPN networks default to, are considered costly). In CalyxOS, the penalty box is instead added at the bandwidth INPUT, OUTPUT and FORWARD chains so that all interfaces block background bandwidth<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"cleartext-traffic-restrictions\">Cleartext traffic restrictions<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Code: <a href=\"https:\/\/review.calyxos.org\/q\/topic:global-no-cleartext\">https:\/\/review.calyxos.org\/q\/topic:global-no-cleartext<\/a><\/li>\n\n\n\n<li>Code: <a href=\"https:\/\/review.calyxos.org\/q\/topic:global-no-cleartext-allowlist\">https:\/\/review.calyxos.org\/q\/topic:global-no-cleartext-allowlist<\/a><\/li>\n<\/ul>\n\n\n\n<p>Normally, each app can make and remove its own strict mode cleartext restriction chain. The global cleartext restriction setting disallows this and appends a cleartext restriction chain that applies to all UIDs. Since it is appended (lower priority), apps can be allowed cleartext traffic in a manual override. Cleartext DNS traffic is briefly allowed for the root user in order to establish a private DNS connection.<\/p>\n\n\n\n<p>-Calyxos Datura Firewall Page<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Software Datura Firewall Type Application Firewall Tag Security. Privacy Platform Android Privacy Rating \u2b50\u2b50\u2b50\u2b50\u2b50 License Model Free &#8211; Open Source Links calyxos.org Privacy Pros: Perfect app for blocking internet access of apps that try to phone home every 5 seconds. Privacy Cons: None Privacy Tips: If using a VPN, turn off all access to apps [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":64,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[16,14],"class_list":["post-240","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-android","tag-privacy","tag-security"],"blocksy_meta":[],"_links":{"self":[{"href":"https:\/\/www.fmidnight.com\/cyberdisk\/wp-json\/wp\/v2\/posts\/240","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.fmidnight.com\/cyberdisk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.fmidnight.com\/cyberdisk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.fmidnight.com\/cyberdisk\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.fmidnight.com\/cyberdisk\/wp-json\/wp\/v2\/comments?post=240"}],"version-history":[{"count":3,"href":"https:\/\/www.fmidnight.com\/cyberdisk\/wp-json\/wp\/v2\/posts\/240\/revisions"}],"predecessor-version":[{"id":584,"href":"https:\/\/www.fmidnight.com\/cyberdisk\/wp-json\/wp\/v2\/posts\/240\/revisions\/584"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.fmidnight.com\/cyberdisk\/wp-json\/wp\/v2\/media\/64"}],"wp:attachment":[{"href":"https:\/\/www.fmidnight.com\/cyberdisk\/wp-json\/wp\/v2\/media?parent=240"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.fmidnight.com\/cyberdisk\/wp-json\/wp\/v2\/categories?post=240"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.fmidnight.com\/cyberdisk\/wp-json\/wp\/v2\/tags?post=240"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}