Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 11 Apr 2021 14:20:28 -0700
From:      Matt Joras <>
To:        Michael Sierchio <>
Cc:, FreeBSD Net <>
Subject:   Re: How to support QUIC with ipfw
Message-ID:  <>
In-Reply-To: <>
References:  <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Hi Michael,

On Sun, Apr 11, 2021, 1:25 PM Michael Sierchio <> wrote:

> Hi, all.  I noticed my firewall was dropping what seemed to be unsolicite=
> UDP connections from Google and Facebook, but this turned out to be QUIC
> traffic. The traffic can be initiated by the browser (or other supporting
> software) or the server.  The problem is that dynamic rules generally don=
> cut it =E2=80=93 udp traffic here is predominantly NTP and DNS, and the d=
> rule lifetime for UDP is very short (3-6 s).  And of course they don't wo=
> at all for traffic initiated by the server side.

QUIC connections aren't initiated by the server. The browser is initiating
these connections. I'm not an ipfw user, the best generic firewall strategy
would be to have some sort of flow tracking for ~30s for UDP flows
associated with tuples originating on the client for remote port 443. 443
will cover the vast majority of Internet cases, as QUIC is only being used
at scale for HTTP/3.

> My kludgy solution at present is to troll the dynamic rules, locate the T=
> connections in them with 443 and 5228 as the target port, and add those
> addresses to a table that permits UDP traffic from those ports.  I only s=
> QUIC on IPv6, by the way.  The cron job runs once per minute, adds the
> addresses seen, and deletes those older than N seconds.  I use time_t
> seconds since epoch as the table arg, so I know when it was added or
> refreshed.
> Any suggestions on a better solution?
> Thanks.
> =E2=80=93 M
> --
> "Well," Brahm=C4=81 said, "even after ten thousand explanations, a fool i=
s no
> wiser, but an intelligent person requires only two thousand five hundred.=
> - The Mah=C4=81bh=C4=81rata
> _______________________________________________
> mailing list
> To unsubscribe, send any mail to ""

Matt Joras


Want to link to this message? Use this URL: <>