An update has been submitted which fixes two bugs. The first (minor) one makes the import and export buttons actually work when selected from the apps tab menu. The second was a bit more important and was reported by a user. The intended behavior when the “block all” scheme was selected was for the applications to continue working in exactly the same manner (if they were checked they would still be blocked; if not checked, they would be allowed). However this was not happening; they were all blocked and the only way to change this was to go back to the apps tab and press “Apply.” Fixing this was fairly simple; I had just forgotten to call the service that updated the rules when the settings were changed. However, after I implemented the fix, I found a new bug.
Upon testing the new fix I discovered that the apps still seemed unable to send or receive traffic. I checked the log and found that outgoing traffic was being allowed, but not incoming. This of course makes perfect sense since “-m owner –uid-owner” (what I use to specify which app I want to block/allow) only works for outgoing traffic. Fortunately I remembered that I could use “-m state –state RELATED,ESTABLISHED” to match traffic that has already occurred or at least started one end of the handshake. It works in this case since the outgoing syn from the app has been allowed.
Technically, this new change does mean that a connection containing malicious traffic will be allowed to continue, but once that specific connection terminates any attempt at a new connection should fail. Since any new connections should fail, this change should not present any real security threat, and certainly not one that outweighs the advantage of the block-all scheme being functional. Besides, the odds of sniping malicious traffic mid connection isn’t super likely. If you are worried about this, disabling all network traffic (airplane mode) for a bit should cause any current connections to time out, and anything not allowed under the rules will be blocked once you turn your network connections back on.
*Note on use: App rules have precedence over default behavior and ip/url rules have precedence over app rules. If you select the block all scheme as default but allow a browser app, you will be able to access any website from the browser. However, if you block the browser, you will still be able to access any specifically allowed website. Thus if you have block-all as the default and block the browser app, but you have specific rules to allow access to certain ips/urls you will be able to access them on the blocked browser. Conversely, with an allow-all default and an unblocked browser app, any ips/urls with specific rules blocking them will be inaccessible.