
Lockdown: Open-source firewall that blocks app tracking, ads, snooping - tilt
https://lockdownhq.com
======
ropiwqefjnpoa
It's functions similar to other mobile ad-blockers in that it can route all
your phones traffic over a VPN tunnel it establishes.

But the ad-blocking vpn server is 127.0.0.1, so perhaps, like it says all the
blocking happens right on your phone.

This is what I've been waiting for if this works.

Still getting ads on instagram though.

~~~
vageli
On Android, DNS66 does exactly this, available on F-Droid.
[https://f-droid.org/en/packages/org.jak_linux.dns66/](https://f-droid.org/en/packages/org.jak_linux.dns66/)

~~~
flavor8
Blokada seems to be very similar to DNS66, and is more actively maintained.
Any reason to prefer DNS66?

~~~
ignoramous
Blokada doesn't DoH or DoT the last time I checked, but they have added a
wireguard-based paid VPN service, which is nice.

Intra [0] can DoH (but no on-device custom blocklists) and Nebulo [1] can DoH
and DoT (with on-device blocklists). Personally, I see better latencies with
DoH.

Ref:
[https://news.ycombinator.com/item?id=21598413](https://news.ycombinator.com/item?id=21598413)

\--

[0] [https://getintra.org](https://getintra.org) \+ adguard-dns or nextdns

[1]
[https://play.google.com/store/apps/details?id=com.frostnerd....](https://play.google.com/store/apps/details?id=com.frostnerd.smokescreen)
\+ adguard-dns or nextdns or hostfiles

~~~
dmix
For those unfamiliar with the acronyms.

DoH = DNS over HTTPS

DoT = DNS over TLS

Very useful apps!

------
whalesalad
Looks like the core of this is done via
[https://developer.apple.com/documentation/networkextension](https://developer.apple.com/documentation/networkextension)

some cool stuff here:

\- Content Filter Providers:
[https://developer.apple.com/documentation/networkextension/c...](https://developer.apple.com/documentation/networkextension/content_filter_providers)

\- DNS Proxy Provider:
[https://developer.apple.com/documentation/networkextension/d...](https://developer.apple.com/documentation/networkextension/dns_proxy_provider)

~~~
twodayslate
This application is not using either of those APIs (Content Filter or DNS
Proxy).

> Content filter providers are only supported on supervised iOS devices.

> DNS proxy providers are only supported on supervised iOS devices.

------
kodablah
Is there anywhere with an in-depth overview of what this does? Does it just
fail DNS request and block known IPs? How are the lists maintained and
updated? With TLS and it surely not mitm-ing connections, that's all it can do
correct?

~~~
josteink
> With TLS and it surely not mitm-ing connections, that's all it can do
> correct?

Unless it also acts as a web-proxy, yes.

~~~
winternett
It can possibly access all your activity, contacts, microphone, and camera...
Hard pass from me at the moment. :/

~~~
hosteur
> It can possibly access all your activity, contacts, microphone, and
> camera... Hard pass from me at the moment. :/

Camera and mic? How does it do this as a vpn? I see no requests for such
things in iOS settings for the app.

~~~
winternett
It's an app you install on your phone. That app can use any service on the
device if system permissions allow it, also, tracking and libraries or spyware
can be embedded in the app itself which could potentially circumvent device
security.

------
pgl
It's "open source", but there's only been 5 commits since August last year?
Where do the updates to blocking rules etc come from?

Also, the homepage states "Over 1 Billion Trackers Blocked", but that really
feels misleading.

I'd say Guardian Firewall is a much better choice:
[https://twitter.com/guardianiosapp](https://twitter.com/guardianiosapp)

~~~
eugeniub
$10/month is a lot for a firewall.

~~~
willstrafach
Important to note, our app is a VPN as well. This way, with the bulk of our
business logic on the server-side, device battery is saved and we can do real-
time block list updates rather than the app needing to pull down a new rule
set.

The $1/day / $10/month / $100/year has been fairly well received, but may not
be for everyone, especially those who enjoy running their own VPN server
and/or curating their own block lists.

~~~
wtmt
> The $1/day / $10/month / $100/year has been fairly well received,

...in countries where $100 a year isn’t a lot for one subscription.

> but may not be for everyone, especially those who enjoy running their own
> VPN server and/or curating their own block lists.

...and also not for those in countries where $100 a year is a whole lot of
money for one subscription.

------
Fnoord
On macOS, we got a port of OpenBSD pf (probably not up to date though). I've
been able to convert hosts files to OpenBSD pf format in, when was it, 2002?
What you'd need to do is create an anchor. Perhaps there's a GUI for it as
well for those who prefer. There's at least pfBlockerNG which basically does
that for PfSense. [1] FWIW, all of this existed before Pi-Hole (or Raspberry
Pi for that matter). IIRC there was also a converter script for hosts files to
IPTables rules.

Is it possible to import such rules to Little Snitch? That's the go to
firewall on macOS, though it is proprietary. There's also LuLu, a FOSS
firewall for macOS. [2]

Now, from my memory, these block lists did cost quite some memory on a machine
with 512 MB RAM. Even though it'd do dedup. What one could also do is build up
a VPN with a remote server (in the cloud, or at home) and use say use
WireGuard to have a secure connection while using a remote DNS on the VPN to
get ads blocked.

[1] [https://www.linuxincluded.com/block-ads-malvertising-on-
pfse...](https://www.linuxincluded.com/block-ads-malvertising-on-pfsense-
using-pfblockerng-dnsbl/)

[2] [https://github.com/objective-see/LuLu](https://github.com/objective-
see/LuLu)

~~~
salzig
On the product page[1] of little snitch you‘ll find a mention of a „blocklist“
feature.

[1]
[https://www.obdev.at/en/products/littlesnitch/index.html](https://www.obdev.at/en/products/littlesnitch/index.html)

~~~
Fnoord
Sweet, it was added in 4.1. Thanks for the heads up!

I found this list (by Peter Lowe) for Little Snitch [1]. There's also a shell
script to convert to Little Snitch rules [2]

[1]
[https://pgl.yoyo.org/adservers/serverlist.php?hostformat=lit...](https://pgl.yoyo.org/adservers/serverlist.php?hostformat=littlesnitch-
rule-group-subscriptions&mimetype=plaintext)

[2]
[https://gist.github.com/SethCalkins/1ac3bee593b37067b489cd6e...](https://gist.github.com/SethCalkins/1ac3bee593b37067b489cd6e275b60ff)

------
GeoffIsTheBest
As a pihole user for years I recently bought a firewalla blue. Installed
pihole on the firewalla, turned off firewalla ad blocking, and done.

I can VPN to my home ad blocking network from anywhere, have more insights
into my home network shenanigans, and still use my personal block list built
over years. Super easy and most importantly, done.

~~~
pbhjpbhj
I'm not sure I get it? Why not run OpenVPN on your pihole's RPi, forward the
port on your router, bingo-bango-bongo?? What extra are you getting with the
firewalla? Is it 'just' ease of administration (which is probably worth the
price!)?

------
Perizors
Seems to operate the same way adguard from mac/android does?

------
rudedogg
I gave this a try on macOS, but I still see all the ads I'm used to.

It looks like the block lists are really short
([https://github.com/confirmedcode/Lockdown-
Mac/tree/master/Bl...](https://github.com/confirmedcode/Lockdown-
Mac/tree/master/Block%20Lists)).

------
throwaway3157
I use Firefox Focus and this looks similar for mobile (though they add MacOS
too). Has anyone evaluated the difference?

~~~
twodayslate
Firefox Focus does not block ads the same was as Lockdown does. Lockdown uses
the [Packet Tunnel
Provider]([https://developer.apple.com/documentation/networkextension/p...](https://developer.apple.com/documentation/networkextension/packet_tunnel_provider))
API which has the added benefit of "protecting" the entire device (not just
your browser).

------
mongro1
So pihole then.

~~~
procinct
This is at the device level as opposed to network level of pihole.

------
DavideNL
The unfortunate truth is, Apple does not allow us to use a firewall on iOS.

This is a DNS-sinkhole, which can be easily circumvented by apps (for example
by using hard coded IPs.)

I would say it's rather dishonest to state your app is a Firewall on the front
page, when in fact it is not.

------
rubyfan
Wish I could use this AND 1.1.1.1 Warp. iPhone doesn’t seem to be able to do
both.

~~~
newscracker
That was my observation too. They’re both classified as the same class of
“VPN” services. So you’d have to choose one or the other. Other VPN apps and
services, such as ProtonVPN and Guardian Firewall, can be enabled while using
1.1.1.1 or DNSCloak.

------
Bellamy
Block this! For Android. [https://block-this.com/](https://block-this.com/)

------
StopHammoTime
I did a test of this. uBlock Origin blocked all the calls before it made it to
the firewall. IMO why would you use anything else.

~~~
newscracker
There is no uBlock Origin for iOS, and never will be because of Apple’s list
based content blocking mechanism where the blocker doesn’t intercept and
process requests. It just provides the block list to Safari, which is also the
only rendering engine (that can be) used by every browser on iOS.

------
newscracker
Unfortunately, the Mac version requires 10.15 (Catalina) or later. I won't be
touching that for quite sometime to come.

------
mirimir
Does Apple ban apps that interfere with other apps?

Or is it Google that does that?

------
egdod
For an open source app distributed on the App Store, is there actually any way
of verifying that what you get on your phone is the same as the source code
you can read?

~~~
rectang
Checksum of a binary package against checksum of a reproducible build?

~~~
egdod
How do you run a checksum of a binary you download to your phone?

------
WarOnPrivacy
Headline might want to note IT'S MAC ONLY

