From owner-freebsd-ipfw@freebsd.org Sun Apr 11 20:25:29 2021 Return-Path: Delivered-To: freebsd-ipfw@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id A01415DB2D4 for ; Sun, 11 Apr 2021 20:25:29 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: from mail-lf1-x130.google.com (mail-lf1-x130.google.com [IPv6:2a00:1450:4864:20::130]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FJNfJ17rWz4YJS for ; Sun, 11 Apr 2021 20:25:27 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: by mail-lf1-x130.google.com with SMTP id f17so10958639lfu.7 for ; Sun, 11 Apr 2021 13:25:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tenebras-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=MH2bCLQjyXjYfwMJKcwlYIYgI8TotNJrTX7w9hLHwC4=; b=XqoFpEt+aczrPXx1GPpcI4c1DKwCa4wy26k2yQdFo3SIdJdQ/y2ZDMk+cde3kdGTG5 8YHeZwYjVcjFTc1v9/50/wncIPMSb26IOBg6rn/+7WjUTelxWo0GpB6f4b7/LRqW0wCx rIpyL9wAPCCT2Fkni0GasljLaiVi2yblYuKJ3GN3637WjZ/DXPrsCtcXVIJS5qOMOQa3 BXKMBESoxo/nU3WQlAr5MaJfbt5pf6n02y2zlqRoF574Zb+WxNI1EneE+/SJvf7T4rZf KqoHIZEm/NSRjEmCpvVn8VMHLF9Sf0PkTuTOUCDGvbE3gLiUsEJxl2muwf5HPBO6hnHf kGgw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=MH2bCLQjyXjYfwMJKcwlYIYgI8TotNJrTX7w9hLHwC4=; b=YfMrD14jeUEt4EuOJZYPn4wKfVyt8mu3kge/zwJgjG5WNt+ohgHrUbjVcfxroFdwrU ex7qVIW/CX3ey9AAwWf4qjO7TBUWqife28T3+SMbiPcCmK+rbec9eT8qHm5uIdjDoGS8 laxLEV73rAdb7Mok3r8f4/DwhBorUrcKeycCKy76j2+2XfHrCFyLm6RMkF5M7JFHxP2N TgOGSRCToLJBpuKXd2e2GmPPmzX8tRdCPfRO946VlZEnq6ngqHFEib6hz5eNgF8JhAmQ MlPTz+SAXCLgL2BlnrdvP2vjvH7aolKaiYtK/QhXE/h9yOKlvdzHuY9cZGfETudTIZhV ZVGw== X-Gm-Message-State: AOAM533WXrdk99o3RnU3DsGxKBP5ggtB5brfuw3+fiaoYUwPx4/nPGAN re2U5vWV3WSF0lt7Iq2fM27i9fTmmpSpgu4msAo4kdHcEI+pZKT4 X-Google-Smtp-Source: ABdhPJwZVAz83w/VTw/hTB3u02CyMTtYw4/wOFskpFBUV9Cy5xzgVVH8rgFXKti7GH2fKC3pVcMZZRFzDuNbYZGkpOM= X-Received: by 2002:a05:6512:3a96:: with SMTP id q22mr16660078lfu.306.1618172725576; Sun, 11 Apr 2021 13:25:25 -0700 (PDT) MIME-Version: 1.0 From: Michael Sierchio Date: Sun, 11 Apr 2021 13:24:49 -0700 Message-ID: Subject: How to support QUIC with ipfw To: "freebsd-ipfw@freebsd.org" , "freebsd-net@freebsd.org" X-Rspamd-Queue-Id: 4FJNfJ17rWz4YJS X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tenebras-com.20150623.gappssmtp.com header.s=20150623 header.b=XqoFpEt+; dmarc=none; spf=none (mx1.freebsd.org: domain of kudzu@tenebras.com has no SPF policy when checking 2a00:1450:4864:20::130) smtp.mailfrom=kudzu@tenebras.com X-Spamd-Result: default: False [0.72 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[tenebras-com.20150623.gappssmtp.com:s=20150623]; NEURAL_HAM_MEDIUM(-0.98)[-0.978]; FROM_HAS_DN(0.00)[]; NEURAL_SPAM_SHORT(1.00)[1.000]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-ipfw@freebsd.org]; DMARC_NA(0.00)[tenebras.com]; SPAMHAUS_ZRD(0.00)[2a00:1450:4864:20::130:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[tenebras-com.20150623.gappssmtp.com:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::130:from]; TO_DN_EQ_ADDR_ALL(0.00)[]; R_SPF_NA(0.00)[no SPF record]; NEURAL_SPAM_LONG(1.00)[1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RBL_DBL_DONT_QUERY_IPS(0.00)[2a00:1450:4864:20::130:from]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-ipfw] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Apr 2021 20:25:29 -0000 Hi, all. I noticed my firewall was dropping what seemed to be unsolicited UDP connections from Google and Facebook, but this turned out to be QUIC traffic. The traffic can be initiated by the browser (or other supporting software) or the server. The problem is that dynamic rules generally don't cut it =E2=80=93 udp traffic here is predominantly NTP and DNS, and the dyn= amic rule lifetime for UDP is very short (3-6 s). And of course they don't work at all for traffic initiated by the server side. My kludgy solution at present is to troll the dynamic rules, locate the TCP connections in them with 443 and 5228 as the target port, and add those addresses to a table that permits UDP traffic from those ports. I only see QUIC on IPv6, by the way. The cron job runs once per minute, adds the addresses seen, and deletes those older than N seconds. I use time_t seconds since epoch as the table arg, so I know when it was added or refreshed. Any suggestions on a better solution? Thanks. =E2=80=93 M --=20 "Well," Brahm=C4=81 said, "even after ten thousand explanations, a fool is = no wiser, but an intelligent person requires only two thousand five hundred." - The Mah=C4=81bh=C4=81rata