Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 11 Apr 2021 14:32:05 -0700
From:      Matt Joras <matt.joras@gmail.com>
To:        Michael Sierchio <kudzu@tenebras.com>
Cc:        "freebsd-ipfw@freebsd.org" <freebsd-ipfw@freebsd.org>, FreeBSD Net <freebsd-net@freebsd.org>
Subject:   Re: How to support QUIC with ipfw
Message-ID:  <CADdTf+hJz-ZWMMTvKBW+9xOWKRpE7h_k1sga5JVvTY6C_aSkGQ@mail.gmail.com>
In-Reply-To: <CAHu1Y72E9xH7Z0ZUK5dh44FekFeRyQbWDmUKG8PaVwRB4J=gWA@mail.gmail.com>
References:  <CAHu1Y73zGYPmsDu6YhzES0FHkZPpVdxL==h_zoRrjdDr9UTQVQ@mail.gmail.com> <CADdTf+gpB6D2pZKOtbs1Kqc0rSOztUR3rnjZCunYxzX-uocFYw@mail.gmail.com> <CAHu1Y72E9xH7Z0ZUK5dh44FekFeRyQbWDmUKG8PaVwRB4J=gWA@mail.gmail.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Hi Michael,

On Sun, Apr 11, 2021 at 2:27 PM Michael Sierchio <kudzu@tenebras.com> wrote=
:
>
> On Sun, Apr 11, 2021 at 2:20 PM Matt Joras <mjoras@freebsd.org> wrote:
>
> > Hi Michael,
> >
> > On Sun, Apr 11, 2021, 1:25 PM Michael Sierchio <kudzu@tenebras.com> wro=
te:
> >
> >> Hi, all.  I noticed my firewall was dropping what seemed to be unsolic=
ited
> >> UDP connections from Google and Facebook, but this turned out to be QU=
IC
> >> traffic. The traffic can be initiated by the browser (or other support=
ing
> >> software) or the server.  The problem is that dynamic rules generally
> >> don't
> >> cut it =E2=80=93 udp traffic here is predominantly NTP and DNS, and th=
e dynamic
> >> rule lifetime for UDP is very short (3-6 s).  And of course they don't
> >> work
> >> at all for traffic initiated by the server side.
> >>
> >
> > QUIC connections aren't initiated by the server. The browser is initiat=
ing
> > these connections. I'm not an ipfw user, the best generic firewall stra=
tegy
> > would be to have some sort of flow tracking for ~30s for UDP flows
> > associated with tuples originating on the client for remote port 443. 4=
43
> > will cover the vast majority of Internet cases, as QUIC is only being u=
sed
> > at scale for HTTP/3.
> >
> >
> Hej, Matt. Thanks. That's a solution that occurred to me, but it means a
> ton of dynamic rules will get instantiated for ephemeral DNS lookups =E2=
=80=93 3
> seconds is a very long time for a conversation with a DNS server, because
> it has probably recursed from the root zone all the way to the A record i=
n
> a fraction of that time.  30 seconds is forever =E2=80=93 well, since UDP=
 doesn't
> have an analogue to a FIN or RST, the rule doesn't go away when the
> conversation does.

Is it not possible to do the dynamic rule instantiation for select UDP
ports, i.e. 443? That may cause issues if DNS-over-HTTP/3 becomes a
thing, but at least for now it would exclude DNS.

>
> I'll get some metrics on it. Thanks again.
>
>
> --
>
> "Well," Brahm=C4=81 said, "even after ten thousand explanations, a fool i=
s no
> wiser, but an intelligent person requires only two thousand five hundred.=
"
>
> - The Mah=C4=81bh=C4=81rata

Matt Joras



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?CADdTf+hJz-ZWMMTvKBW+9xOWKRpE7h_k1sga5JVvTY6C_aSkGQ>