• General
  • Fine-grained Firewall Control?

I have traditionally used AFWall+, which requires root, on my phones for a firewall. I've used it in conjunction with a VPN, set to automatically block apps after they are installed, and set apps to either only run over the VPN, only connect to LAN addresses, or both. I require this functionality for a couple apps (Kore being #1 as it's the remote for my TV).
Now I have a new phone and am new to GrapheneOS.
Since GrapheneOS doesn't have root (and can't get root unless I recompile myself if my understanding is correct), I can't use AFWall+. Enabling the killswitch for my VPN blocks apps from access the LAN, not enabling the killswitch allows apps to connect to the internet directly which I want to avoid.
What are my possible solutions for this?
Thanks

    • [deleted]

    You're supposed to be using the network permission. Denylist/blocking firewalls do not work and don't protect you from anything. If an app can make arbitrary DNS requests, it can connect to anything and bypass your denylist firewall. An app either has internet access or it doesn't.

    See https://grapheneos.org/faq#firewall

    mactroneng The functionality you're requesting has to be implemented by the VPN. Use a VPN service with support for it.