Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 11 Apr 2021 13:24:49 -0700
From:      Michael Sierchio <kudzu@tenebras.com>
To:        "freebsd-ipfw@freebsd.org" <freebsd-ipfw@freebsd.org>,  "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>
Subject:   How to support QUIC with ipfw
Message-ID:  <CAHu1Y73zGYPmsDu6YhzES0FHkZPpVdxL==h_zoRrjdDr9UTQVQ@mail.gmail.com>

Next in thread | Raw E-Mail | Index | Archive | Help
Hi, all.  I noticed my firewall was dropping what seemed to be unsolicited
UDP connections from Google and Facebook, but this turned out to be QUIC
traffic. The traffic can be initiated by the browser (or other supporting
software) or the server.  The problem is that dynamic rules generally don't
cut it =E2=80=93 udp traffic here is predominantly NTP and DNS, and the dyn=
amic
rule lifetime for UDP is very short (3-6 s).  And of course they don't work
at all for traffic initiated by the server side.

My kludgy solution at present is to troll the dynamic rules, locate the TCP
connections in them with 443 and 5228 as the target port, and add those
addresses to a table that permits UDP traffic from those ports.  I only see
QUIC on IPv6, by the way.  The cron job runs once per minute, adds the
addresses seen, and deletes those older than N seconds.  I use time_t
seconds since epoch as the table arg, so I know when it was added or
refreshed.

Any suggestions on a better solution?

Thanks.

=E2=80=93 M

--=20

"Well," Brahm=C4=81 said, "even after ten thousand explanations, a fool is =
no
wiser, but an intelligent person requires only two thousand five hundred."

- The Mah=C4=81bh=C4=81rata



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?CAHu1Y73zGYPmsDu6YhzES0FHkZPpVdxL==h_zoRrjdDr9UTQVQ>