Date: Sun, 11 Apr 2021 14:26:57 -0700 From: Michael Sierchio <kudzu@tenebras.com> To: "freebsd-ipfw@freebsd.org" <freebsd-ipfw@freebsd.org>, FreeBSD Net <freebsd-net@freebsd.org> Subject: Re: How to support QUIC with ipfw Message-ID: <CAHu1Y72E9xH7Z0ZUK5dh44FekFeRyQbWDmUKG8PaVwRB4J=gWA@mail.gmail.com> In-Reply-To: <CADdTf%2BgpB6D2pZKOtbs1Kqc0rSOztUR3rnjZCunYxzX-uocFYw@mail.gmail.com> References: <CAHu1Y73zGYPmsDu6YhzES0FHkZPpVdxL==h_zoRrjdDr9UTQVQ@mail.gmail.com> <CADdTf%2BgpB6D2pZKOtbs1Kqc0rSOztUR3rnjZCunYxzX-uocFYw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Apr 11, 2021 at 2:20 PM Matt Joras <mjoras@freebsd.org> wrote: > Hi Michael, > > On Sun, Apr 11, 2021, 1:25 PM Michael Sierchio <kudzu@tenebras.com> wrote= : > >> Hi, all. I noticed my firewall was dropping what seemed to be unsolicit= ed >> UDP connections from Google and Facebook, but this turned out to be QUIC >> traffic. The traffic can be initiated by the browser (or other supportin= g >> software) or the server. The problem is that dynamic rules generally >> don't >> cut it =E2=80=93 udp traffic here is predominantly NTP and DNS, and the = dynamic >> rule lifetime for UDP is very short (3-6 s). And of course they don't >> work >> at all for traffic initiated by the server side. >> > > QUIC connections aren't initiated by the server. The browser is initiatin= g > these connections. I'm not an ipfw user, the best generic firewall strate= gy > would be to have some sort of flow tracking for ~30s for UDP flows > associated with tuples originating on the client for remote port 443. 443 > will cover the vast majority of Internet cases, as QUIC is only being use= d > at scale for HTTP/3. > > Hej, Matt. Thanks. That's a solution that occurred to me, but it means a ton of dynamic rules will get instantiated for ephemeral DNS lookups =E2=80= =93 3 seconds is a very long time for a conversation with a DNS server, because it has probably recursed from the root zone all the way to the A record in a fraction of that time. 30 seconds is forever =E2=80=93 well, since UDP d= oesn't have an analogue to a FIN or RST, the rule doesn't go away when the conversation does. I'll get some metrics on it. Thanks again. --=20 "Well," Brahm=C4=81 said, "even after ten thousand explanations, a fool is = no wiser, but an intelligent person requires only two thousand five hundred." - The Mah=C4=81bh=C4=81rata
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHu1Y72E9xH7Z0ZUK5dh44FekFeRyQbWDmUKG8PaVwRB4J=gWA>