Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 11 Apr 2021 14:26:57 -0700
From:      Michael Sierchio <>
To:        "" <>, FreeBSD Net <>
Subject:   Re: How to support QUIC with ipfw
Message-ID:  <>
In-Reply-To: <>
References:  <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Sun, Apr 11, 2021 at 2:20 PM Matt Joras <> wrote:

> Hi Michael,
> On Sun, Apr 11, 2021, 1:25 PM Michael Sierchio <> wrote=
>> Hi, all.  I noticed my firewall was dropping what seemed to be unsolicit=
>> UDP connections from Google and Facebook, but this turned out to be QUIC
>> traffic. The traffic can be initiated by the browser (or other supportin=
>> software) or the server.  The problem is that dynamic rules generally
>> don't
>> cut it =E2=80=93 udp traffic here is predominantly NTP and DNS, and the =
>> rule lifetime for UDP is very short (3-6 s).  And of course they don't
>> work
>> at all for traffic initiated by the server side.
> QUIC connections aren't initiated by the server. The browser is initiatin=
> these connections. I'm not an ipfw user, the best generic firewall strate=
> would be to have some sort of flow tracking for ~30s for UDP flows
> associated with tuples originating on the client for remote port 443. 443
> will cover the vast majority of Internet cases, as QUIC is only being use=
> at scale for HTTP/3.
Hej, Matt. Thanks. That's a solution that occurred to me, but it means a
ton of dynamic rules will get instantiated for ephemeral DNS lookups =E2=80=
=93 3
seconds is a very long time for a conversation with a DNS server, because
it has probably recursed from the root zone all the way to the A record in
a fraction of that time.  30 seconds is forever =E2=80=93 well, since UDP d=
have an analogue to a FIN or RST, the rule doesn't go away when the
conversation does.

I'll get some metrics on it. Thanks again.


"Well," Brahm=C4=81 said, "even after ten thousand explanations, a fool is =
wiser, but an intelligent person requires only two thousand five hundred."

- The Mah=C4=81bh=C4=81rata

Want to link to this message? Use this URL: <>