I am running a rooted LGA V400 tablet with Android 4.4.2 Kernel version 3.4.0+, software version v40010e and build number KOT49l.A1403851534. The tablet does not have provisions for a data connection via a SIM card- wifi only.
I am using the connections tab in eolwral OS monitor to keep track of what connections the various applications and the OS are making with the outside i.e.. via wi-fi. I also am running AFWall + to shut down phone home garbage. I had Droidwall installed before this. Neither Droidwall nor AFWall + shut down non whitelisted connections......
As normal course of operation the ONLY applications I whitelist are
Internet (the built in browser)
Kaspersky Internet Security
Sun, Moon & Planets
As I am writing this the tablet has an uptime of 1 hr 42 minutes. The only existing connection to the internet according to OSMonitor is Youtube through 127.0.0.1:42818. Youtube is NOT whitelisted. Also please note that I am composing this post on my laptop.
If I restart the tablet things change radically. I have 19 connections either syn_sent, time_wait,Listening or Established. Most are from System although there are things like Google Account Manager (not whitelisted) Qualcom, Youtube (again) and things like Google Input Services. On the first boot of the day its is worse with more of the system connections to various IP's in various states, Kernel connections (not whitelisted) App updates(not whitelisted), Google backup Transport and its group (not whitelisted), Google Partner Setup ( not whitelisted), Hidden Person Menu (not whitelisted), Software Update (not whitelisted), and a group of others appear which are not whitelisted.
My questions are-
. If either Droidwall or AFWall+ are true IPTables firewalls how and why is all of this crap able to get on wifi?
When transport for a certain service is not available i.e. blocked by a firewall does Android do something different with the connection request to enable it i.e. the plethora of system connections? It appears to me that AFWall+ isn't working as advertised because of f these leakers-
Most of the connections appear at boot up- is what is happening that these connections are established before AFWall+ gets up and running and it does not have the ability to close them? Note that on boot up after the GUI is running I get a SuperSU notification that AFWall + has been granted root permission so I am curious about the order of things starting i.e. a lot of the connection sockets being established before the firewall is running.
Finally- the V400 is somewhat of a stepchild. Is there another version of Android I can load on this platform that will work?
Thanks to all for the expertise here. I searched the forum before posting this as well as the internet, I am experienced with Unix and Linux and have done IPTables in non Android OS'es. I find what I am seeing here disturbing. Any help or suggestions would be deeply appreciated.