Date: Sun, 11 Apr 2021 14:43:32 -0700 From: Michael Sierchio <kudzu@tenebras.com> To: Matt Joras <matt.joras@gmail.com> Cc: "freebsd-ipfw@freebsd.org" <freebsd-ipfw@freebsd.org>, FreeBSD Net <freebsd-net@freebsd.org> Subject: Re: How to support QUIC with ipfw Message-ID: <CAHu1Y71TC2wpzcC2rMZG_qZcO7o=QSjwkRVjhzNq_gje0E7Fjw@mail.gmail.com> In-Reply-To: <CADdTf%2BhJz-ZWMMTvKBW%2B9xOWKRpE7h_k1sga5JVvTY6C_aSkGQ@mail.gmail.com> References: <CAHu1Y73zGYPmsDu6YhzES0FHkZPpVdxL==h_zoRrjdDr9UTQVQ@mail.gmail.com> <CADdTf%2BgpB6D2pZKOtbs1Kqc0rSOztUR3rnjZCunYxzX-uocFYw@mail.gmail.com> <CAHu1Y72E9xH7Z0ZUK5dh44FekFeRyQbWDmUKG8PaVwRB4J=gWA@mail.gmail.com> <CADdTf%2BhJz-ZWMMTvKBW%2B9xOWKRpE7h_k1sga5JVvTY6C_aSkGQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Sadly, no. That would be a great feature. The sysctl setting for dynamic rule lifetime is for all UDP. But since the firewall itself is responsible for most of the DNS and NTP traffic, I can write non-stateful rules for that. The recursive resolver on that port won't respond to outside queries for DNS, and NTP ignores commands from strangers. On Sun, Apr 11, 2021 at 2:32 PM Matt Joras <matt.joras@gmail.com> wrote: > Hi Michael, > > On Sun, Apr 11, 2021 at 2:27 PM Michael Sierchio <kudzu@tenebras.com> > wrote: > > > > On Sun, Apr 11, 2021 at 2:20 PM Matt Joras <mjoras@freebsd.org> wrote: > > > > > Hi Michael, > > > > > > On Sun, Apr 11, 2021, 1:25 PM Michael Sierchio <kudzu@tenebras.com> > wrote: > > > > > >> Hi, all. I noticed my firewall was dropping what seemed to be > unsolicited > > >> UDP connections from Google and Facebook, but this turned out to be > QUIC > > >> traffic. The traffic can be initiated by the browser (or other > supporting > > >> software) or the server. The problem is that dynamic rules generall= y > > >> don't > > >> cut it =E2=80=93 udp traffic here is predominantly NTP and DNS, and = the > dynamic > > >> rule lifetime for UDP is very short (3-6 s). And of course they don= 't > > >> work > > >> at all for traffic initiated by the server side. > > >> > > > > > > QUIC connections aren't initiated by the server. The browser is > initiating > > > these connections. I'm not an ipfw user, the best generic firewall > strategy > > > would be to have some sort of flow tracking for ~30s for UDP flows > > > associated with tuples originating on the client for remote port 443. > 443 > > > will cover the vast majority of Internet cases, as QUIC is only being > used > > > at scale for HTTP/3. > > > > > > > > Hej, Matt. Thanks. That's a solution that occurred to me, but it means = a > > ton of dynamic rules will get instantiated for ephemeral DNS lookups = =E2=80=93 3 > > seconds is a very long time for a conversation with a DNS server, becau= se > > it has probably recursed from the root zone all the way to the A record > in > > a fraction of that time. 30 seconds is forever =E2=80=93 well, since U= DP doesn't > > have an analogue to a FIN or RST, the rule doesn't go away when the > > conversation does. > > Is it not possible to do the dynamic rule instantiation for select UDP > ports, i.e. 443? That may cause issues if DNS-over-HTTP/3 becomes a > thing, but at least for now it would exclude DNS. > > > > > I'll get some metrics on it. Thanks again. > > > > > > -- > > > > "Well," Brahm=C4=81 said, "even after ten thousand explanations, a fool= is no > > wiser, but an intelligent person requires only two thousand five > hundred." > > > > - The Mah=C4=81bh=C4=81rata > > Matt Joras > --=20 "Well," Brahm=C4=81 said, "even after ten thousand explanations, a fool is = no wiser, but an intelligent person requires only two thousand five hundred." - The Mah=C4=81bh=C4=81rata
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHu1Y71TC2wpzcC2rMZG_qZcO7o=QSjwkRVjhzNq_gje0E7Fjw>