From owner-freebsd-ipfw@freebsd.org Sun Apr 11 20:25:29 2021 Return-Path: Delivered-To: freebsd-ipfw@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id A01415DB2D4 for ; Sun, 11 Apr 2021 20:25:29 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: from mail-lf1-x130.google.com (mail-lf1-x130.google.com [IPv6:2a00:1450:4864:20::130]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FJNfJ17rWz4YJS for ; Sun, 11 Apr 2021 20:25:27 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: by mail-lf1-x130.google.com with SMTP id f17so10958639lfu.7 for ; Sun, 11 Apr 2021 13:25:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tenebras-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=MH2bCLQjyXjYfwMJKcwlYIYgI8TotNJrTX7w9hLHwC4=; b=XqoFpEt+aczrPXx1GPpcI4c1DKwCa4wy26k2yQdFo3SIdJdQ/y2ZDMk+cde3kdGTG5 8YHeZwYjVcjFTc1v9/50/wncIPMSb26IOBg6rn/+7WjUTelxWo0GpB6f4b7/LRqW0wCx rIpyL9wAPCCT2Fkni0GasljLaiVi2yblYuKJ3GN3637WjZ/DXPrsCtcXVIJS5qOMOQa3 BXKMBESoxo/nU3WQlAr5MaJfbt5pf6n02y2zlqRoF574Zb+WxNI1EneE+/SJvf7T4rZf KqoHIZEm/NSRjEmCpvVn8VMHLF9Sf0PkTuTOUCDGvbE3gLiUsEJxl2muwf5HPBO6hnHf kGgw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=MH2bCLQjyXjYfwMJKcwlYIYgI8TotNJrTX7w9hLHwC4=; b=YfMrD14jeUEt4EuOJZYPn4wKfVyt8mu3kge/zwJgjG5WNt+ohgHrUbjVcfxroFdwrU ex7qVIW/CX3ey9AAwWf4qjO7TBUWqife28T3+SMbiPcCmK+rbec9eT8qHm5uIdjDoGS8 laxLEV73rAdb7Mok3r8f4/DwhBorUrcKeycCKy76j2+2XfHrCFyLm6RMkF5M7JFHxP2N TgOGSRCToLJBpuKXd2e2GmPPmzX8tRdCPfRO946VlZEnq6ngqHFEib6hz5eNgF8JhAmQ MlPTz+SAXCLgL2BlnrdvP2vjvH7aolKaiYtK/QhXE/h9yOKlvdzHuY9cZGfETudTIZhV ZVGw== X-Gm-Message-State: AOAM533WXrdk99o3RnU3DsGxKBP5ggtB5brfuw3+fiaoYUwPx4/nPGAN re2U5vWV3WSF0lt7Iq2fM27i9fTmmpSpgu4msAo4kdHcEI+pZKT4 X-Google-Smtp-Source: ABdhPJwZVAz83w/VTw/hTB3u02CyMTtYw4/wOFskpFBUV9Cy5xzgVVH8rgFXKti7GH2fKC3pVcMZZRFzDuNbYZGkpOM= X-Received: by 2002:a05:6512:3a96:: with SMTP id q22mr16660078lfu.306.1618172725576; Sun, 11 Apr 2021 13:25:25 -0700 (PDT) MIME-Version: 1.0 From: Michael Sierchio Date: Sun, 11 Apr 2021 13:24:49 -0700 Message-ID: Subject: How to support QUIC with ipfw To: "freebsd-ipfw@freebsd.org" , "freebsd-net@freebsd.org" X-Rspamd-Queue-Id: 4FJNfJ17rWz4YJS X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tenebras-com.20150623.gappssmtp.com header.s=20150623 header.b=XqoFpEt+; dmarc=none; spf=none (mx1.freebsd.org: domain of kudzu@tenebras.com has no SPF policy when checking 2a00:1450:4864:20::130) smtp.mailfrom=kudzu@tenebras.com X-Spamd-Result: default: False [0.72 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[tenebras-com.20150623.gappssmtp.com:s=20150623]; NEURAL_HAM_MEDIUM(-0.98)[-0.978]; FROM_HAS_DN(0.00)[]; NEURAL_SPAM_SHORT(1.00)[1.000]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-ipfw@freebsd.org]; DMARC_NA(0.00)[tenebras.com]; SPAMHAUS_ZRD(0.00)[2a00:1450:4864:20::130:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[tenebras-com.20150623.gappssmtp.com:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::130:from]; TO_DN_EQ_ADDR_ALL(0.00)[]; R_SPF_NA(0.00)[no SPF record]; NEURAL_SPAM_LONG(1.00)[1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RBL_DBL_DONT_QUERY_IPS(0.00)[2a00:1450:4864:20::130:from]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-ipfw] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Apr 2021 20:25:29 -0000 Hi, all. I noticed my firewall was dropping what seemed to be unsolicited UDP connections from Google and Facebook, but this turned out to be QUIC traffic. The traffic can be initiated by the browser (or other supporting software) or the server. The problem is that dynamic rules generally don't cut it =E2=80=93 udp traffic here is predominantly NTP and DNS, and the dyn= amic rule lifetime for UDP is very short (3-6 s). And of course they don't work at all for traffic initiated by the server side. My kludgy solution at present is to troll the dynamic rules, locate the TCP connections in them with 443 and 5228 as the target port, and add those addresses to a table that permits UDP traffic from those ports. I only see QUIC on IPv6, by the way. The cron job runs once per minute, adds the addresses seen, and deletes those older than N seconds. I use time_t seconds since epoch as the table arg, so I know when it was added or refreshed. Any suggestions on a better solution? Thanks. =E2=80=93 M --=20 "Well," Brahm=C4=81 said, "even after ten thousand explanations, a fool is = no wiser, but an intelligent person requires only two thousand five hundred." - The Mah=C4=81bh=C4=81rata From owner-freebsd-ipfw@freebsd.org Sun Apr 11 21:00:30 2021 Return-Path: Delivered-To: freebsd-ipfw@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4993D5DC6EF for ; Sun, 11 Apr 2021 21:00:30 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mailman.nyi.freebsd.org (mailman.nyi.freebsd.org [IPv6:2610:1c1:1:606c::50:13]) by mx1.freebsd.org (Postfix) with ESMTP id 4FJPQk1KVrz4ZrS for ; Sun, 11 Apr 2021 21:00:30 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: by mailman.nyi.freebsd.org (Postfix) id 2B3095DCA3E; Sun, 11 Apr 2021 21:00:30 +0000 (UTC) Delivered-To: ipfw@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 2AF265DC6ED for ; Sun, 11 Apr 2021 21:00:30 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FJPQk0gGRz4b3C for ; Sun, 11 Apr 2021 21:00:30 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 06CDF2CB9 for ; Sun, 11 Apr 2021 21:00:30 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 13BL0To6057409 for ; Sun, 11 Apr 2021 21:00:29 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 13BL0Tbp057408 for ipfw@FreeBSD.org; Sun, 11 Apr 2021 21:00:29 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <202104112100.13BL0Tbp057408@kenobi.freebsd.org> X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@FreeBSD.org using -f From: bugzilla-noreply@FreeBSD.org To: ipfw@FreeBSD.org Subject: Problem reports for ipfw@FreeBSD.org that need special attention Date: Sun, 11 Apr 2021 21:00:29 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Apr 2021 21:00:30 -0000 To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- New | 215875 | [ipfw] ipfw lookup tables do not support mbuf_tag New | 232764 | [ipfw] share/examples/ipfw/change_rules.sh: Suppo 2 problems total for which you should take action. From owner-freebsd-ipfw@freebsd.org Sun Apr 11 21:20:41 2021 Return-Path: Delivered-To: freebsd-ipfw@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 8438C5DDE0A; Sun, 11 Apr 2021 21:20:41 +0000 (UTC) (envelope-from matt.joras@gmail.com) Received: from mail-lf1-f45.google.com (mail-lf1-f45.google.com [209.85.167.45]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FJPt04Fdjz4cBF; Sun, 11 Apr 2021 21:20:40 +0000 (UTC) (envelope-from matt.joras@gmail.com) Received: by mail-lf1-f45.google.com with SMTP id n138so18195023lfa.3; Sun, 11 Apr 2021 14:20:40 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=abTAko3sJd930z63zqvcqViFCXRbUe8Vg6FbwV3Henc=; b=nP0syxBXsfCu/d89rchZlcF/Qsc/EB6VdYIQJy9MjSDTx+YyMabjbnv7/bGw7JD5i0 PNSqjiCZ8tU2/qXaiNP1aEBUouTVzlb+/L94YyLmsnsaRuoT17WLrIwK3qNRuU9zfFzs nt6njIROdU4zrL22njSqJ2YJgJoRqBfmPLmaHT8F6JpV8SuI5RsHPZfKwrg0HbnDMlL3 OFsPmHEM6wcVKTujUmhZozYX4vE/Ey7Udn9DRR7+l432O7kmlyhaeZ/AjuD0ux3PriFl LIs/D7V0EelMbVOfrvS+NgVyIB70zVZTj/QcnIa0uwJsq4+SA1JQTeyhr84sd95l19pn 02Sw== X-Gm-Message-State: AOAM531m3WzknKqI8Hhnm8eXpXCuzmDBz2xDKeOkf2IeFJCAGDvPDwXc 4kh2qEUdc/sCMJWzE5LjODXRfVc2RAI= X-Google-Smtp-Source: ABdhPJxoCxedr2NcuG0gATVTTrCSpAxAE3yFfFRbWrDVAsmYHCSdOPEFS0sRFIWN86OqhqAp/BM2Jg== X-Received: by 2002:a05:6512:1026:: with SMTP id r6mr17777066lfr.598.1618176038299; Sun, 11 Apr 2021 14:20:38 -0700 (PDT) Received: from mail-lj1-f180.google.com (mail-lj1-f180.google.com. [209.85.208.180]) by smtp.gmail.com with ESMTPSA id b28sm1827611lfv.109.2021.04.11.14.20.38 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 11 Apr 2021 14:20:38 -0700 (PDT) Received: by mail-lj1-f180.google.com with SMTP id r22so2194776ljc.5; Sun, 11 Apr 2021 14:20:38 -0700 (PDT) X-Received: by 2002:a2e:a361:: with SMTP id i1mr2501825ljn.201.1618176038043; Sun, 11 Apr 2021 14:20:38 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Matt Joras Date: Sun, 11 Apr 2021 14:20:28 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: How to support QUIC with ipfw To: Michael Sierchio Cc: freebsd-ipfw@freebsd.org, FreeBSD Net X-Rspamd-Queue-Id: 4FJPt04Fdjz4cBF X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of mattjoras@gmail.com designates 209.85.167.45 as permitted sender) smtp.mailfrom=mattjoras@gmail.com X-Spamd-Result: default: False [-0.99 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17:c]; RCVD_COUNT_THREE(0.00)[4]; NEURAL_HAM_SHORT(-0.99)[-0.988]; FORGED_SENDER(0.30)[mjoras@freebsd.org,mattjoras@gmail.com]; MIME_TRACE(0.00)[0:+,1:+,2:~]; R_DKIM_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; FROM_NEQ_ENVFROM(0.00)[mjoras@freebsd.org,mattjoras@gmail.com]; ARC_NA(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[209.85.167.45:from]; TAGGED_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; DMARC_NA(0.00)[freebsd.org]; SPAMHAUS_ZRD(0.00)[209.85.167.45:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_SPAM_LONG(1.00)[1.000]; RCVD_IN_DNSWL_NONE(0.00)[209.85.167.45:from]; RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.167.45:from]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-ipfw,freebsd-net] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Apr 2021 21:20:41 -0000 Hi Michael, On Sun, Apr 11, 2021, 1:25 PM Michael Sierchio wrote: > Hi, all. I noticed my firewall was dropping what seemed to be unsolicite= d > UDP connections from Google and Facebook, but this turned out to be QUIC > traffic. The traffic can be initiated by the browser (or other supporting > software) or the server. The problem is that dynamic rules generally don= 't > cut it =E2=80=93 udp traffic here is predominantly NTP and DNS, and the d= ynamic > rule lifetime for UDP is very short (3-6 s). And of course they don't wo= rk > at all for traffic initiated by the server side. > QUIC connections aren't initiated by the server. The browser is initiating these connections. I'm not an ipfw user, the best generic firewall strategy would be to have some sort of flow tracking for ~30s for UDP flows associated with tuples originating on the client for remote port 443. 443 will cover the vast majority of Internet cases, as QUIC is only being used at scale for HTTP/3. > My kludgy solution at present is to troll the dynamic rules, locate the T= CP > connections in them with 443 and 5228 as the target port, and add those > addresses to a table that permits UDP traffic from those ports. I only s= ee > QUIC on IPv6, by the way. The cron job runs once per minute, adds the > addresses seen, and deletes those older than N seconds. I use time_t > seconds since epoch as the table arg, so I know when it was added or > refreshed. > > Any suggestions on a better solution? > > Thanks. > > =E2=80=93 M > > -- > > "Well," Brahm=C4=81 said, "even after ten thousand explanations, a fool i= s no > wiser, but an intelligent person requires only two thousand five hundred.= " > > - The Mah=C4=81bh=C4=81rata > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > Matt Joras > From owner-freebsd-ipfw@freebsd.org Sun Apr 11 21:27:36 2021 Return-Path: Delivered-To: freebsd-ipfw@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C3DD35DEEF0 for ; Sun, 11 Apr 2021 21:27:36 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: from mail-lj1-x22b.google.com (mail-lj1-x22b.google.com [IPv6:2a00:1450:4864:20::22b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FJQ1z6CXlz4dPD for ; Sun, 11 Apr 2021 21:27:35 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: by mail-lj1-x22b.google.com with SMTP id l22so5560853ljc.9 for ; Sun, 11 Apr 2021 14:27:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tenebras-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=2drwzsqBszoCMSF/2JwLNWTsLul8HAsXVpuzm/Li4Ig=; b=FQGoH6h58PESK7EjqdqdfofYAAkPHnpck4Aef0YYccwea3nueyo2/ArZJVjOkdi/NC kk5xo9iHGvI42ap6LjJg7N4CT0WpplKnFSUChG+WRjvIvywqIOvCtCwn6lo7MRoVyKYW 8okg+BphWq5COzLUog7gZCq0Urlk0wJPEt16wIlc5ydQnjlK4HtnONtUXo8CToSHY8y7 vwTbvtlSc1WFwMhjgAL0dqqGokranxoJpKkucUYJWTpq5mzsJvHamPFLeF7kqF6WwlT8 B9OKW+QLgGh+dm2ak5QA/ijRbGL+OWr5h8fs4eU/+a49ScqiNBEgW/LMrQeZm8F6Hy9B j3OQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=2drwzsqBszoCMSF/2JwLNWTsLul8HAsXVpuzm/Li4Ig=; b=XpKUuyBFyhEIHEpfg8hd4ekNBcXTpg3H6jMHFlwGqeQttZicR4wS2AWL/UIYGF+L9t w0JQ8XIhE5+apl928d59YOIAcbaEd+4+XjQGNzoR8SMf5DBJUP5gTc8KDxM1M9zbXHWh xmdcB0VIcuxxfe8Rj54pqn9Dtsoz/23+AbqFcX/sM7eTkNqvNi3cfx5IvaSAnfpxtSNB 0Uj2a7/sI4Q+qKX6r1fiF4WgMjwSDTfC6dzJ3LO/p41tP/V0+hSb/Q7Vqi+C0lh+Tpqn LhkbYwT7ajaUJE0v0QVlCW4HNN/23ZEKZrzATLP2G1EH5yPj7VOBAQOe0dh2yruQQoma UkVQ== X-Gm-Message-State: AOAM530/q/29ULpsgvlZIzaiQOSY92ft1UTzS6ZV1vow12CTcRFxOKo7 mCD9MdgcTcMmFlyTUOoVPKAMFLEmWDrlRwx1McOsX8l/DxNwIQ== X-Google-Smtp-Source: ABdhPJxb3dzoCajYZo17B8GO/04UclQyNy2pRo98nFvExuaFcaiKEVlSht2MriCAWVBmEFXTxm+k4r8lRJg/WJfH/ow= X-Received: by 2002:a2e:9cb:: with SMTP id 194mr16022884ljj.438.1618176453102; Sun, 11 Apr 2021 14:27:33 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Michael Sierchio Date: Sun, 11 Apr 2021 14:26:57 -0700 Message-ID: Subject: Re: How to support QUIC with ipfw To: "freebsd-ipfw@freebsd.org" , FreeBSD Net X-Rspamd-Queue-Id: 4FJQ1z6CXlz4dPD X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tenebras-com.20150623.gappssmtp.com header.s=20150623 header.b=FQGoH6h5; dmarc=none; spf=none (mx1.freebsd.org: domain of kudzu@tenebras.com has no SPF policy when checking 2a00:1450:4864:20::22b) smtp.mailfrom=kudzu@tenebras.com X-Spamd-Result: default: False [0.70 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[tenebras-com.20150623.gappssmtp.com:s=20150623]; RCVD_TLS_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_SPAM_SHORT(1.00)[1.000]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-ipfw@freebsd.org]; DMARC_NA(0.00)[tenebras.com]; SPAMHAUS_ZRD(0.00)[2a00:1450:4864:20::22b:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[tenebras-com.20150623.gappssmtp.com:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::22b:from]; NEURAL_SPAM_LONG(1.00)[1.000]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RBL_DBL_DONT_QUERY_IPS(0.00)[2a00:1450:4864:20::22b:from]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-ipfw] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Apr 2021 21:27:37 -0000 On Sun, Apr 11, 2021 at 2:20 PM Matt Joras wrote: > Hi Michael, > > On Sun, Apr 11, 2021, 1:25 PM Michael Sierchio wrote= : > >> Hi, all. I noticed my firewall was dropping what seemed to be unsolicit= ed >> UDP connections from Google and Facebook, but this turned out to be QUIC >> traffic. The traffic can be initiated by the browser (or other supportin= g >> software) or the server. The problem is that dynamic rules generally >> don't >> cut it =E2=80=93 udp traffic here is predominantly NTP and DNS, and the = dynamic >> rule lifetime for UDP is very short (3-6 s). And of course they don't >> work >> at all for traffic initiated by the server side. >> > > QUIC connections aren't initiated by the server. The browser is initiatin= g > these connections. I'm not an ipfw user, the best generic firewall strate= gy > would be to have some sort of flow tracking for ~30s for UDP flows > associated with tuples originating on the client for remote port 443. 443 > will cover the vast majority of Internet cases, as QUIC is only being use= d > at scale for HTTP/3. > > Hej, Matt. Thanks. That's a solution that occurred to me, but it means a ton of dynamic rules will get instantiated for ephemeral DNS lookups =E2=80= =93 3 seconds is a very long time for a conversation with a DNS server, because it has probably recursed from the root zone all the way to the A record in a fraction of that time. 30 seconds is forever =E2=80=93 well, since UDP d= oesn't have an analogue to a FIN or RST, the rule doesn't go away when the conversation does. I'll get some metrics on it. Thanks again. --=20 "Well," Brahm=C4=81 said, "even after ten thousand explanations, a fool is = no wiser, but an intelligent person requires only two thousand five hundred." - The Mah=C4=81bh=C4=81rata From owner-freebsd-ipfw@freebsd.org Sun Apr 11 21:44:11 2021 Return-Path: Delivered-To: freebsd-ipfw@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 2E31B5DFE85 for ; Sun, 11 Apr 2021 21:44:11 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: from mail-lf1-x129.google.com (mail-lf1-x129.google.com [IPv6:2a00:1450:4864:20::129]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FJQP63xF1z4fN7 for ; Sun, 11 Apr 2021 21:44:10 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: by mail-lf1-x129.google.com with SMTP id n138so18242431lfa.3 for ; Sun, 11 Apr 2021 14:44:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tenebras-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=a5QJDJhCMe1aN+kGqbezSzH1BzKYwnK2m9qkfLQqqi0=; b=oTL7ovgn6nGYf8Ygv1sw6u5MUcTXhd6vwaJYKw2HsJWdJeOWn9/hUhMg79GfMnbTmq 4pn9hZf1rboIzJ8GYrwoVnLzrDWNEgMJSTe/HxGYJ2BfLVqmPIIK5cnvywGH5B7Sqw9T 56jp72EEcYp9lDym6gINSaErOZDb7EpDsxLKs4y8+5r9qQhgTouPSyXXlqXUFmKABORZ IkokIsozhdihnJGVg+QKihyB5FUusr39mLm+4jyh2JTz6AWN7Mr0pACH721cgK66fiX4 1/ypSj3Xo4SJdvD1FUcQeOZhWq98uwx0/B1VzctHl9wOBx/i5YlRypC3bT4dLfyFJVD1 0pJA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=a5QJDJhCMe1aN+kGqbezSzH1BzKYwnK2m9qkfLQqqi0=; b=q/W275+3cpzqG+IKVHOPjKDbDruk3HM9JvKm7w8zOP4Z7beSRLOuPM5IXrNGaMHfaI NaKuFji938UuShWVQEXXcEBOWGGlujKSUDoLa4yBSskZzL6vI5TuhLdIcPZXCtKthKDF zGuzsuKnPsP4N0KWWBgk4ZYv6sWugqObXEY3uhphJRzlHc5626jDxFX3FFCEe3w1C6dV F/iKIExqD1gHhNZ78uuKyDTM87QVi9VBzBR4IsSYmgoczsNOvkM7+JiF8YRcIOB6AZDG c4m0oZXDFSYKrBw5L+OQlHq2XVx3/+/kv9mk4NpVKKY0UAeNJ6EE/i/LAU5aigp59j6K 6CAQ== X-Gm-Message-State: AOAM533TFx/p+LV5F6piv+tsCtwzBUCEf4kGvZ+YWc5FEih6CEv0Sdy6 YHSspoqReXa3i7gMtoqOShyIk3TrDIAF7m3okdSBGA== X-Google-Smtp-Source: ABdhPJywFWjWyRB4GJV8i4xaWbVOmMzh3G0Trp3Sc6/ALDFTZ38xtlqew3GdMI6aChexZ9YCyMsDhl8+Fm1N62vIpUw= X-Received: by 2002:a19:f70d:: with SMTP id z13mr11806760lfe.275.1618177448629; Sun, 11 Apr 2021 14:44:08 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Michael Sierchio Date: Sun, 11 Apr 2021 14:43:32 -0700 Message-ID: Subject: Re: How to support QUIC with ipfw To: Matt Joras Cc: "freebsd-ipfw@freebsd.org" , FreeBSD Net X-Rspamd-Queue-Id: 4FJQP63xF1z4fN7 X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tenebras-com.20150623.gappssmtp.com header.s=20150623 header.b=oTL7ovgn; dmarc=none; spf=none (mx1.freebsd.org: domain of kudzu@tenebras.com has no SPF policy when checking 2a00:1450:4864:20::129) smtp.mailfrom=kudzu@tenebras.com X-Spamd-Result: default: False [0.77 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; TO_DN_SOME(0.00)[]; DKIM_TRACE(0.00)[tenebras-com.20150623.gappssmtp.com:+]; FREEMAIL_TO(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RBL_DBL_DONT_QUERY_IPS(0.00)[2a00:1450:4864:20::129:from]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.93)[-0.925]; R_DKIM_ALLOW(-0.20)[tenebras-com.20150623.gappssmtp.com:s=20150623]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; NEURAL_SPAM_SHORT(1.00)[1.000]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-ipfw@freebsd.org]; DMARC_NA(0.00)[tenebras.com]; SPAMHAUS_ZRD(0.00)[2a00:1450:4864:20::129:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_SPAM_LONG(1.00)[1.000]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::129:from]; R_SPF_NA(0.00)[no SPF record]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-ipfw] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Apr 2021 21:44:11 -0000 Sadly, no. That would be a great feature. The sysctl setting for dynamic rule lifetime is for all UDP. But since the firewall itself is responsible for most of the DNS and NTP traffic, I can write non-stateful rules for that. The recursive resolver on that port won't respond to outside queries for DNS, and NTP ignores commands from strangers. On Sun, Apr 11, 2021 at 2:32 PM Matt Joras wrote: > Hi Michael, > > On Sun, Apr 11, 2021 at 2:27 PM Michael Sierchio > wrote: > > > > On Sun, Apr 11, 2021 at 2:20 PM Matt Joras wrote: > > > > > Hi Michael, > > > > > > On Sun, Apr 11, 2021, 1:25 PM Michael Sierchio > wrote: > > > > > >> Hi, all. I noticed my firewall was dropping what seemed to be > unsolicited > > >> UDP connections from Google and Facebook, but this turned out to be > QUIC > > >> traffic. The traffic can be initiated by the browser (or other > supporting > > >> software) or the server. The problem is that dynamic rules generall= y > > >> don't > > >> cut it =E2=80=93 udp traffic here is predominantly NTP and DNS, and = the > dynamic > > >> rule lifetime for UDP is very short (3-6 s). And of course they don= 't > > >> work > > >> at all for traffic initiated by the server side. > > >> > > > > > > QUIC connections aren't initiated by the server. The browser is > initiating > > > these connections. I'm not an ipfw user, the best generic firewall > strategy > > > would be to have some sort of flow tracking for ~30s for UDP flows > > > associated with tuples originating on the client for remote port 443. > 443 > > > will cover the vast majority of Internet cases, as QUIC is only being > used > > > at scale for HTTP/3. > > > > > > > > Hej, Matt. Thanks. That's a solution that occurred to me, but it means = a > > ton of dynamic rules will get instantiated for ephemeral DNS lookups = =E2=80=93 3 > > seconds is a very long time for a conversation with a DNS server, becau= se > > it has probably recursed from the root zone all the way to the A record > in > > a fraction of that time. 30 seconds is forever =E2=80=93 well, since U= DP doesn't > > have an analogue to a FIN or RST, the rule doesn't go away when the > > conversation does. > > Is it not possible to do the dynamic rule instantiation for select UDP > ports, i.e. 443? That may cause issues if DNS-over-HTTP/3 becomes a > thing, but at least for now it would exclude DNS. > > > > > I'll get some metrics on it. Thanks again. > > > > > > -- > > > > "Well," Brahm=C4=81 said, "even after ten thousand explanations, a fool= is no > > wiser, but an intelligent person requires only two thousand five > hundred." > > > > - The Mah=C4=81bh=C4=81rata > > Matt Joras > --=20 "Well," Brahm=C4=81 said, "even after ten thousand explanations, a fool is = no wiser, but an intelligent person requires only two thousand five hundred." - The Mah=C4=81bh=C4=81rata From owner-freebsd-ipfw@freebsd.org Sun Apr 11 21:32:19 2021 Return-Path: Delivered-To: freebsd-ipfw@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 15EC65DF924; Sun, 11 Apr 2021 21:32:19 +0000 (UTC) (envelope-from matt.joras@gmail.com) Received: from mail-lj1-x22e.google.com (mail-lj1-x22e.google.com [IPv6:2a00:1450:4864:20::22e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FJQ7Q0V9lz4dqW; Sun, 11 Apr 2021 21:32:17 +0000 (UTC) (envelope-from matt.joras@gmail.com) Received: by mail-lj1-x22e.google.com with SMTP id o16so12933415ljp.3; Sun, 11 Apr 2021 14:32:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=MFJPKSDW2/V++hqHVHjW6rR0gdgkMCnvVE78Rp1k5fU=; b=LFOD3N/l3Tb0FcXOnECIA0Z90hYy3JLYUxSIOcJ73HONomwEUJLnLzOLqZ89y/5Ax0 ac66vYoq0fXz4ZUTXR9TBfyjUE0SExgL23a/MkFn77n81qwjdDlN4rY6f8OxO/Pc3O7A SiNUzHTLyv/87mix+XFJZ1J2a9UkvaSF29ionMgB7QJqPIR6GluKVOKT3QrGKRZUbVEV +b/A7qOoHRmqedpro0PVExYzVPjwZOx8eLlkfAo5fK1OLEix2RdSojGEBMpVaJvr4CrB /QSpx8Wzgozn895t8/AotXtMVf3PQDoliYKIbdwzqob6hujEkdc13aUSVcBemp7Qk1Oz SVzQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=MFJPKSDW2/V++hqHVHjW6rR0gdgkMCnvVE78Rp1k5fU=; b=FSQqsIWEeDc6kNgmM/BW542Y/QmGsHA8RfCF6pMGjswmamxmzKVa6upOqvG7vguqw9 xGzq/XcToXg9QSKkzwm9io6R8WADwV/e9HWB7n9bpM9d8pujn28xx8xLuxULumsT7mH8 8lcSC2l4PdfUh1b4z+kRn5/IPzmgNwHYiDkxY3Weuta11kPo/ddYYtO3svenDj6CPDaQ SRJjzM4HPDCpy1S2xS3KFqpmDOF9VuSXWr8U4WjH7fz9+gO8QWCgqm5I7Sx2Wk/Nnj+G baw7o8ZqIkXvhzPVjF4I6BV6Z8jnjTJqE3475cOO/6g5e3YTqXKsk0o07zKNjPpKCd3Z tw2w== X-Gm-Message-State: AOAM531Qq643FlYI77U7EgyJ4cYN7YybGgdp38g4IJT3+9KEIQ+ftuW6 lo7Sl6qXKwvpfV80QLqsdmvSyg/8Nqc7H1YSHdA= X-Google-Smtp-Source: ABdhPJx6KxWBBXWVDQ76ZHSUcV5JODB8Xi42nSMCeu0aoaqFy4NwZukF0A49/kFvyMyz/va520p4jtNSMnpczL3jEbo= X-Received: by 2002:a2e:a361:: with SMTP id i1mr2526238ljn.201.1618176735819; Sun, 11 Apr 2021 14:32:15 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Matt Joras Date: Sun, 11 Apr 2021 14:32:05 -0700 Message-ID: Subject: Re: How to support QUIC with ipfw To: Michael Sierchio Cc: "freebsd-ipfw@freebsd.org" , FreeBSD Net Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4FJQ7Q0V9lz4dqW X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=LFOD3N/l; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of mattjoras@gmail.com designates 2a00:1450:4864:20::22e as permitted sender) smtp.mailfrom=mattjoras@gmail.com X-Spamd-Result: default: False [-1.97 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; TO_DN_SOME(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-0.97)[-0.971]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[2a00:1450:4864:20::22e:from]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; TAGGED_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; MIME_GOOD(-0.10)[text/plain]; SPAMHAUS_ZRD(0.00)[2a00:1450:4864:20::22e:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_SPAM_LONG(1.00)[1.000]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::22e:from]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-ipfw,freebsd-net] X-Mailman-Approved-At: Mon, 12 Apr 2021 05:37:27 +0000 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Apr 2021 21:32:19 -0000 Hi Michael, On Sun, Apr 11, 2021 at 2:27 PM Michael Sierchio wrote= : > > On Sun, Apr 11, 2021 at 2:20 PM Matt Joras wrote: > > > Hi Michael, > > > > On Sun, Apr 11, 2021, 1:25 PM Michael Sierchio wro= te: > > > >> Hi, all. I noticed my firewall was dropping what seemed to be unsolic= ited > >> UDP connections from Google and Facebook, but this turned out to be QU= IC > >> traffic. The traffic can be initiated by the browser (or other support= ing > >> software) or the server. The problem is that dynamic rules generally > >> don't > >> cut it =E2=80=93 udp traffic here is predominantly NTP and DNS, and th= e dynamic > >> rule lifetime for UDP is very short (3-6 s). And of course they don't > >> work > >> at all for traffic initiated by the server side. > >> > > > > QUIC connections aren't initiated by the server. The browser is initiat= ing > > these connections. I'm not an ipfw user, the best generic firewall stra= tegy > > would be to have some sort of flow tracking for ~30s for UDP flows > > associated with tuples originating on the client for remote port 443. 4= 43 > > will cover the vast majority of Internet cases, as QUIC is only being u= sed > > at scale for HTTP/3. > > > > > Hej, Matt. Thanks. That's a solution that occurred to me, but it means a > ton of dynamic rules will get instantiated for ephemeral DNS lookups =E2= =80=93 3 > seconds is a very long time for a conversation with a DNS server, because > it has probably recursed from the root zone all the way to the A record i= n > a fraction of that time. 30 seconds is forever =E2=80=93 well, since UDP= doesn't > have an analogue to a FIN or RST, the rule doesn't go away when the > conversation does. Is it not possible to do the dynamic rule instantiation for select UDP ports, i.e. 443? That may cause issues if DNS-over-HTTP/3 becomes a thing, but at least for now it would exclude DNS. > > I'll get some metrics on it. Thanks again. > > > -- > > "Well," Brahm=C4=81 said, "even after ten thousand explanations, a fool i= s no > wiser, but an intelligent person requires only two thousand five hundred.= " > > - The Mah=C4=81bh=C4=81rata Matt Joras From owner-freebsd-ipfw@freebsd.org Mon Apr 12 07:33:56 2021 Return-Path: Delivered-To: freebsd-ipfw@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id EAC7F5ECB8C for ; Mon, 12 Apr 2021 07:33:56 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 4FJgTc68Nwz3PJ0 for ; Mon, 12 Apr 2021 07:33:56 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.nyi.freebsd.org (Postfix) id D31B45ECA30; Mon, 12 Apr 2021 07:33:56 +0000 (UTC) Delivered-To: ipfw@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D2E4F5ECAC9 for ; Mon, 12 Apr 2021 07:33:56 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FJgTc5Zr1z3PCJ for ; Mon, 12 Apr 2021 07:33:56 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id B2BE4135BD for ; Mon, 12 Apr 2021 07:33:56 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 13C7XuU4081257 for ; Mon, 12 Apr 2021 07:33:56 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 13C7XuU1081256 for ipfw@FreeBSD.org; Mon, 12 Apr 2021 07:33:56 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ipfw@FreeBSD.org Subject: [Bug 254896] ipfw do not matches "proto ipv6" but "proto ip6" works Date: Mon, 12 Apr 2021 07:33:57 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 12.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Apr 2021 07:33:57 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D254896 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs@FreeBSD.org |ipfw@FreeBSD.org --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-ipfw@freebsd.org Mon Apr 12 10:50:10 2021 Return-Path: Delivered-To: freebsd-ipfw@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 666C95CAFA9 for ; Mon, 12 Apr 2021 10:50:10 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 4FJlr22Hbxz3qK8 for ; Mon, 12 Apr 2021 10:50:10 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.nyi.freebsd.org (Postfix) id 4E1045CAFA7; Mon, 12 Apr 2021 10:50:10 +0000 (UTC) Delivered-To: ipfw@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4DDBD5CAFA6 for ; Mon, 12 Apr 2021 10:50:10 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FJlr21ZdNz3qYN for ; Mon, 12 Apr 2021 10:50:10 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 2558D15FAC for ; Mon, 12 Apr 2021 10:50:10 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 13CAoACB077935 for ; Mon, 12 Apr 2021 10:50:10 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 13CAoAG0077934 for ipfw@FreeBSD.org; Mon, 12 Apr 2021 10:50:10 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ipfw@FreeBSD.org Subject: [Bug 254896] ipfw do not matches "proto ipv6" but "proto ip6" works Date: Mon, 12 Apr 2021 10:50:10 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 12.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: ae@FreeBSD.org X-Bugzilla-Status: Closed X-Bugzilla-Resolution: Not A Bug X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: resolution bug_status cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Apr 2021 10:50:10 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D254896 Andrey V. Elsukov changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |Not A Bug Status|New |Closed CC| |ae@FreeBSD.org --- Comment #2 from Andrey V. Elsukov --- (In reply to Bob Bishop from comment #1) Indeed, `ip6` is the reserved keyword, matches all upper level protocols th= at are used within IPv6. `proto ipv6` is protocol 41, means IPv6 datagram encapsulated inside. --=20 You are receiving this mail because: You are the assignee for the bug.=