Sadly, no. That would be a great feature. The sysctl setting for dynamic rule lifetime is for all UDP.
But since the firewall itself is responsible for most of the DNS and NTP traffic, I can write non-stateful rules for that. The recursive resolver on that port won't respond to outside queries for DNS, and NTP ignores commands from strangers. On Sun, Apr 11, 2021 at 2:32 PM Matt Joras <matt.jo...@gmail.com> wrote: > Hi Michael, > > On Sun, Apr 11, 2021 at 2:27 PM Michael Sierchio <ku...@tenebras.com> > wrote: > > > > On Sun, Apr 11, 2021 at 2:20 PM Matt Joras <mjo...@freebsd.org> wrote: > > > > > Hi Michael, > > > > > > On Sun, Apr 11, 2021, 1:25 PM Michael Sierchio <ku...@tenebras.com> > wrote: > > > > > >> Hi, all. I noticed my firewall was dropping what seemed to be > unsolicited > > >> UDP connections from Google and Facebook, but this turned out to be > QUIC > > >> traffic. The traffic can be initiated by the browser (or other > supporting > > >> software) or the server. The problem is that dynamic rules generally > > >> don't > > >> cut it – udp traffic here is predominantly NTP and DNS, and the > dynamic > > >> rule lifetime for UDP is very short (3-6 s). And of course they don't > > >> work > > >> at all for traffic initiated by the server side. > > >> > > > > > > QUIC connections aren't initiated by the server. The browser is > initiating > > > these connections. I'm not an ipfw user, the best generic firewall > strategy > > > would be to have some sort of flow tracking for ~30s for UDP flows > > > associated with tuples originating on the client for remote port 443. > 443 > > > will cover the vast majority of Internet cases, as QUIC is only being > used > > > at scale for HTTP/3. > > > > > > > > Hej, Matt. Thanks. That's a solution that occurred to me, but it means a > > ton of dynamic rules will get instantiated for ephemeral DNS lookups – 3 > > seconds is a very long time for a conversation with a DNS server, because > > it has probably recursed from the root zone all the way to the A record > in > > a fraction of that time. 30 seconds is forever – well, since UDP doesn't > > have an analogue to a FIN or RST, the rule doesn't go away when the > > conversation does. > > Is it not possible to do the dynamic rule instantiation for select UDP > ports, i.e. 443? That may cause issues if DNS-over-HTTP/3 becomes a > thing, but at least for now it would exclude DNS. > > > > > I'll get some metrics on it. Thanks again. > > > > > > -- > > > > "Well," Brahmā said, "even after ten thousand explanations, a fool is no > > wiser, but an intelligent person requires only two thousand five > hundred." > > > > - The Mahābhārata > > Matt Joras > -- "Well," Brahmā said, "even after ten thousand explanations, a fool is no wiser, but an intelligent person requires only two thousand five hundred." - The Mahābhārata _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
