Date: Sun, 11 Apr 2021 14:26:57 -0700 From: Michael Sierchio <kudzu@tenebras.com> To: "freebsd-ipfw@freebsd.org" <freebsd-ipfw@freebsd.org>, FreeBSD Net <freebsd-net@freebsd.org> Subject: Re: How to support QUIC with ipfw Message-ID: <CAHu1Y72E9xH7Z0ZUK5dh44FekFeRyQbWDmUKG8PaVwRB4J=gWA@mail.gmail.com> In-Reply-To: <CADdTf%2BgpB6D2pZKOtbs1Kqc0rSOztUR3rnjZCunYxzX-uocFYw@mail.gmail.com> References: <CAHu1Y73zGYPmsDu6YhzES0FHkZPpVdxL==h_zoRrjdDr9UTQVQ@mail.gmail.com> <CADdTf%2BgpB6D2pZKOtbs1Kqc0rSOztUR3rnjZCunYxzX-uocFYw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Apr 11, 2021 at 2:20 PM Matt Joras <mjoras@freebsd.org> wrote: > Hi Michael, > > On Sun, Apr 11, 2021, 1:25 PM Michael Sierchio <kudzu@tenebras.com> wrote: > >> Hi, all. I noticed my firewall was dropping what seemed to be unsolicited >> UDP connections from Google and Facebook, but this turned out to be QUIC >> traffic. The traffic can be initiated by the browser (or other supporting >> software) or the server. The problem is that dynamic rules generally >> don't >> cut it – udp traffic here is predominantly NTP and DNS, and the dynamic >> rule lifetime for UDP is very short (3-6 s). And of course they don't >> work >> at all for traffic initiated by the server side. >> > > QUIC connections aren't initiated by the server. The browser is initiating > these connections. I'm not an ipfw user, the best generic firewall strategy > would be to have some sort of flow tracking for ~30s for UDP flows > associated with tuples originating on the client for remote port 443. 443 > will cover the vast majority of Internet cases, as QUIC is only being used > at scale for HTTP/3. > > Hej, Matt. Thanks. That's a solution that occurred to me, but it means a ton of dynamic rules will get instantiated for ephemeral DNS lookups – 3 seconds is a very long time for a conversation with a DNS server, because it has probably recursed from the root zone all the way to the A record in a fraction of that time. 30 seconds is forever – well, since UDP doesn't have an analogue to a FIN or RST, the rule doesn't go away when the conversation does. I'll get some metrics on it. Thanks again. -- "Well," Brahmā said, "even after ten thousand explanations, a fool is no wiser, but an intelligent person requires only two thousand five hundred." - The Mahābhārata
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHu1Y72E9xH7Z0ZUK5dh44FekFeRyQbWDmUKG8PaVwRB4J=gWA>