From owner-freebsd-net@freebsd.org Sun Apr 11 21:20:41 2021 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 8438C5DDE0A; Sun, 11 Apr 2021 21:20:41 +0000 (UTC) (envelope-from matt.joras@gmail.com) Received: from mail-lf1-f45.google.com (mail-lf1-f45.google.com [209.85.167.45]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FJPt04Fdjz4cBF; Sun, 11 Apr 2021 21:20:40 +0000 (UTC) (envelope-from matt.joras@gmail.com) Received: by mail-lf1-f45.google.com with SMTP id n138so18195023lfa.3; Sun, 11 Apr 2021 14:20:40 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=abTAko3sJd930z63zqvcqViFCXRbUe8Vg6FbwV3Henc=; b=nP0syxBXsfCu/d89rchZlcF/Qsc/EB6VdYIQJy9MjSDTx+YyMabjbnv7/bGw7JD5i0 PNSqjiCZ8tU2/qXaiNP1aEBUouTVzlb+/L94YyLmsnsaRuoT17WLrIwK3qNRuU9zfFzs nt6njIROdU4zrL22njSqJ2YJgJoRqBfmPLmaHT8F6JpV8SuI5RsHPZfKwrg0HbnDMlL3 OFsPmHEM6wcVKTujUmhZozYX4vE/Ey7Udn9DRR7+l432O7kmlyhaeZ/AjuD0ux3PriFl LIs/D7V0EelMbVOfrvS+NgVyIB70zVZTj/QcnIa0uwJsq4+SA1JQTeyhr84sd95l19pn 02Sw== X-Gm-Message-State: AOAM531m3WzknKqI8Hhnm8eXpXCuzmDBz2xDKeOkf2IeFJCAGDvPDwXc 4kh2qEUdc/sCMJWzE5LjODXRfVc2RAI= X-Google-Smtp-Source: ABdhPJxoCxedr2NcuG0gATVTTrCSpAxAE3yFfFRbWrDVAsmYHCSdOPEFS0sRFIWN86OqhqAp/BM2Jg== X-Received: by 2002:a05:6512:1026:: with SMTP id r6mr17777066lfr.598.1618176038299; Sun, 11 Apr 2021 14:20:38 -0700 (PDT) Received: from mail-lj1-f180.google.com (mail-lj1-f180.google.com. [209.85.208.180]) by smtp.gmail.com with ESMTPSA id b28sm1827611lfv.109.2021.04.11.14.20.38 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 11 Apr 2021 14:20:38 -0700 (PDT) Received: by mail-lj1-f180.google.com with SMTP id r22so2194776ljc.5; Sun, 11 Apr 2021 14:20:38 -0700 (PDT) X-Received: by 2002:a2e:a361:: with SMTP id i1mr2501825ljn.201.1618176038043; Sun, 11 Apr 2021 14:20:38 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Matt Joras Date: Sun, 11 Apr 2021 14:20:28 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: How to support QUIC with ipfw To: Michael Sierchio Cc: freebsd-ipfw@freebsd.org, FreeBSD Net X-Rspamd-Queue-Id: 4FJPt04Fdjz4cBF X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of mattjoras@gmail.com designates 209.85.167.45 as permitted sender) smtp.mailfrom=mattjoras@gmail.com X-Spamd-Result: default: False [-0.99 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17:c]; RCVD_COUNT_THREE(0.00)[4]; NEURAL_HAM_SHORT(-0.99)[-0.988]; FORGED_SENDER(0.30)[mjoras@freebsd.org,mattjoras@gmail.com]; MIME_TRACE(0.00)[0:+,1:+,2:~]; R_DKIM_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; FROM_NEQ_ENVFROM(0.00)[mjoras@freebsd.org,mattjoras@gmail.com]; ARC_NA(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[209.85.167.45:from]; TAGGED_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; DMARC_NA(0.00)[freebsd.org]; SPAMHAUS_ZRD(0.00)[209.85.167.45:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_SPAM_LONG(1.00)[1.000]; RCVD_IN_DNSWL_NONE(0.00)[209.85.167.45:from]; RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.167.45:from]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-ipfw,freebsd-net] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Apr 2021 21:20:41 -0000 Hi Michael, On Sun, Apr 11, 2021, 1:25 PM Michael Sierchio wrote: > Hi, all. I noticed my firewall was dropping what seemed to be unsolicite= d > UDP connections from Google and Facebook, but this turned out to be QUIC > traffic. The traffic can be initiated by the browser (or other supporting > software) or the server. The problem is that dynamic rules generally don= 't > cut it =E2=80=93 udp traffic here is predominantly NTP and DNS, and the d= ynamic > rule lifetime for UDP is very short (3-6 s). And of course they don't wo= rk > at all for traffic initiated by the server side. > QUIC connections aren't initiated by the server. The browser is initiating these connections. I'm not an ipfw user, the best generic firewall strategy would be to have some sort of flow tracking for ~30s for UDP flows associated with tuples originating on the client for remote port 443. 443 will cover the vast majority of Internet cases, as QUIC is only being used at scale for HTTP/3. > My kludgy solution at present is to troll the dynamic rules, locate the T= CP > connections in them with 443 and 5228 as the target port, and add those > addresses to a table that permits UDP traffic from those ports. I only s= ee > QUIC on IPv6, by the way. The cron job runs once per minute, adds the > addresses seen, and deletes those older than N seconds. I use time_t > seconds since epoch as the table arg, so I know when it was added or > refreshed. > > Any suggestions on a better solution? > > Thanks. > > =E2=80=93 M > > -- > > "Well," Brahm=C4=81 said, "even after ten thousand explanations, a fool i= s no > wiser, but an intelligent person requires only two thousand five hundred.= " > > - The Mah=C4=81bh=C4=81rata > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > Matt Joras >