From owner-freebsd-net@freebsd.org Sun Apr 11 21:32:19 2021 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 15EC65DF924; Sun, 11 Apr 2021 21:32:19 +0000 (UTC) (envelope-from matt.joras@gmail.com) Received: from mail-lj1-x22e.google.com (mail-lj1-x22e.google.com [IPv6:2a00:1450:4864:20::22e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FJQ7Q0V9lz4dqW; Sun, 11 Apr 2021 21:32:17 +0000 (UTC) (envelope-from matt.joras@gmail.com) Received: by mail-lj1-x22e.google.com with SMTP id o16so12933415ljp.3; Sun, 11 Apr 2021 14:32:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=MFJPKSDW2/V++hqHVHjW6rR0gdgkMCnvVE78Rp1k5fU=; b=LFOD3N/l3Tb0FcXOnECIA0Z90hYy3JLYUxSIOcJ73HONomwEUJLnLzOLqZ89y/5Ax0 ac66vYoq0fXz4ZUTXR9TBfyjUE0SExgL23a/MkFn77n81qwjdDlN4rY6f8OxO/Pc3O7A SiNUzHTLyv/87mix+XFJZ1J2a9UkvaSF29ionMgB7QJqPIR6GluKVOKT3QrGKRZUbVEV +b/A7qOoHRmqedpro0PVExYzVPjwZOx8eLlkfAo5fK1OLEix2RdSojGEBMpVaJvr4CrB /QSpx8Wzgozn895t8/AotXtMVf3PQDoliYKIbdwzqob6hujEkdc13aUSVcBemp7Qk1Oz SVzQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=MFJPKSDW2/V++hqHVHjW6rR0gdgkMCnvVE78Rp1k5fU=; b=FSQqsIWEeDc6kNgmM/BW542Y/QmGsHA8RfCF6pMGjswmamxmzKVa6upOqvG7vguqw9 xGzq/XcToXg9QSKkzwm9io6R8WADwV/e9HWB7n9bpM9d8pujn28xx8xLuxULumsT7mH8 8lcSC2l4PdfUh1b4z+kRn5/IPzmgNwHYiDkxY3Weuta11kPo/ddYYtO3svenDj6CPDaQ SRJjzM4HPDCpy1S2xS3KFqpmDOF9VuSXWr8U4WjH7fz9+gO8QWCgqm5I7Sx2Wk/Nnj+G baw7o8ZqIkXvhzPVjF4I6BV6Z8jnjTJqE3475cOO/6g5e3YTqXKsk0o07zKNjPpKCd3Z tw2w== X-Gm-Message-State: AOAM531Qq643FlYI77U7EgyJ4cYN7YybGgdp38g4IJT3+9KEIQ+ftuW6 lo7Sl6qXKwvpfV80QLqsdmvSyg/8Nqc7H1YSHdA= X-Google-Smtp-Source: ABdhPJx6KxWBBXWVDQ76ZHSUcV5JODB8Xi42nSMCeu0aoaqFy4NwZukF0A49/kFvyMyz/va520p4jtNSMnpczL3jEbo= X-Received: by 2002:a2e:a361:: with SMTP id i1mr2526238ljn.201.1618176735819; Sun, 11 Apr 2021 14:32:15 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Matt Joras Date: Sun, 11 Apr 2021 14:32:05 -0700 Message-ID: Subject: Re: How to support QUIC with ipfw To: Michael Sierchio Cc: "freebsd-ipfw@freebsd.org" , FreeBSD Net Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4FJQ7Q0V9lz4dqW X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=LFOD3N/l; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of mattjoras@gmail.com designates 2a00:1450:4864:20::22e as permitted sender) smtp.mailfrom=mattjoras@gmail.com X-Spamd-Result: default: False [-1.97 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; TO_DN_SOME(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-0.97)[-0.971]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[2a00:1450:4864:20::22e:from]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; TAGGED_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; MIME_GOOD(-0.10)[text/plain]; SPAMHAUS_ZRD(0.00)[2a00:1450:4864:20::22e:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_SPAM_LONG(1.00)[1.000]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::22e:from]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-ipfw,freebsd-net] X-Mailman-Approved-At: Mon, 12 Apr 2021 07:38:36 +0000 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Apr 2021 21:32:19 -0000 Hi Michael, On Sun, Apr 11, 2021 at 2:27 PM Michael Sierchio wrote= : > > On Sun, Apr 11, 2021 at 2:20 PM Matt Joras wrote: > > > Hi Michael, > > > > On Sun, Apr 11, 2021, 1:25 PM Michael Sierchio wro= te: > > > >> Hi, all. I noticed my firewall was dropping what seemed to be unsolic= ited > >> UDP connections from Google and Facebook, but this turned out to be QU= IC > >> traffic. The traffic can be initiated by the browser (or other support= ing > >> software) or the server. The problem is that dynamic rules generally > >> don't > >> cut it =E2=80=93 udp traffic here is predominantly NTP and DNS, and th= e dynamic > >> rule lifetime for UDP is very short (3-6 s). And of course they don't > >> work > >> at all for traffic initiated by the server side. > >> > > > > QUIC connections aren't initiated by the server. The browser is initiat= ing > > these connections. I'm not an ipfw user, the best generic firewall stra= tegy > > would be to have some sort of flow tracking for ~30s for UDP flows > > associated with tuples originating on the client for remote port 443. 4= 43 > > will cover the vast majority of Internet cases, as QUIC is only being u= sed > > at scale for HTTP/3. > > > > > Hej, Matt. Thanks. That's a solution that occurred to me, but it means a > ton of dynamic rules will get instantiated for ephemeral DNS lookups =E2= =80=93 3 > seconds is a very long time for a conversation with a DNS server, because > it has probably recursed from the root zone all the way to the A record i= n > a fraction of that time. 30 seconds is forever =E2=80=93 well, since UDP= doesn't > have an analogue to a FIN or RST, the rule doesn't go away when the > conversation does. Is it not possible to do the dynamic rule instantiation for select UDP ports, i.e. 443? That may cause issues if DNS-over-HTTP/3 becomes a thing, but at least for now it would exclude DNS. > > I'll get some metrics on it. Thanks again. > > > -- > > "Well," Brahm=C4=81 said, "even after ten thousand explanations, a fool i= s no > wiser, but an intelligent person requires only two thousand five hundred.= " > > - The Mah=C4=81bh=C4=81rata Matt Joras