Hi Michael, On Sun, Apr 11, 2021, 1:25 PM Michael Sierchio <ku...@tenebras.com> wrote:
> Hi, all. I noticed my firewall was dropping what seemed to be unsolicited > UDP connections from Google and Facebook, but this turned out to be QUIC > traffic. The traffic can be initiated by the browser (or other supporting > software) or the server. The problem is that dynamic rules generally don't > cut it – udp traffic here is predominantly NTP and DNS, and the dynamic > rule lifetime for UDP is very short (3-6 s). And of course they don't work > at all for traffic initiated by the server side. > QUIC connections aren't initiated by the server. The browser is initiating these connections. I'm not an ipfw user, the best generic firewall strategy would be to have some sort of flow tracking for ~30s for UDP flows associated with tuples originating on the client for remote port 443. 443 will cover the vast majority of Internet cases, as QUIC is only being used at scale for HTTP/3. > My kludgy solution at present is to troll the dynamic rules, locate the TCP > connections in them with 443 and 5228 as the target port, and add those > addresses to a table that permits UDP traffic from those ports. I only see > QUIC on IPv6, by the way. The cron job runs once per minute, adds the > addresses seen, and deletes those older than N seconds. I use time_t > seconds since epoch as the table arg, so I know when it was added or > refreshed. > > Any suggestions on a better solution? > > Thanks. > > – M > > -- > > "Well," Brahmā said, "even after ten thousand explanations, a fool is no > wiser, but an intelligent person requires only two thousand five hundred." > > - The Mahābhārata > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org" > Matt Joras > _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"