How to support QUIC with ipfw

Michael Sierchio kudzu at tenebras.com
Sun Apr 11 21:44:11 UTC 2021 

Sadly, no.  That would be a great feature.  The sysctl setting for
dynamic rule lifetime is for all UDP.

But since the firewall itself is responsible for most of the
DNS and NTP traffic, I can write non-stateful rules for that.  The
recursive resolver on that port won't respond to outside queries for
DNS, and NTP ignores commands from strangers.



On Sun, Apr 11, 2021 at 2:32 PM Matt Joras <matt.joras at gmail.com> wrote:

> Hi Michael,
>
> On Sun, Apr 11, 2021 at 2:27 PM Michael Sierchio <kudzu at tenebras.com>
> wrote:
> >
> > On Sun, Apr 11, 2021 at 2:20 PM Matt Joras <mjoras at freebsd.org> wrote:
> >
> > > Hi Michael,
> > >
> > > On Sun, Apr 11, 2021, 1:25 PM Michael Sierchio <kudzu at tenebras.com>
> wrote:
> > >
> > >> Hi, all.  I noticed my firewall was dropping what seemed to be
> unsolicited
> > >> UDP connections from Google and Facebook, but this turned out to be
> QUIC
> > >> traffic. The traffic can be initiated by the browser (or other
> supporting
> > >> software) or the server.  The problem is that dynamic rules generally
> > >> don't
> > >> cut it – udp traffic here is predominantly NTP and DNS, and the
> dynamic
> > >> rule lifetime for UDP is very short (3-6 s).  And of course they don't
> > >> work
> > >> at all for traffic initiated by the server side.
> > >>
> > >
> > > QUIC connections aren't initiated by the server. The browser is
> initiating
> > > these connections. I'm not an ipfw user, the best generic firewall
> strategy
> > > would be to have some sort of flow tracking for ~30s for UDP flows
> > > associated with tuples originating on the client for remote port 443.
> 443
> > > will cover the vast majority of Internet cases, as QUIC is only being
> used
> > > at scale for HTTP/3.
> > >
> > >
> > Hej, Matt. Thanks. That's a solution that occurred to me, but it means a
> > ton of dynamic rules will get instantiated for ephemeral DNS lookups – 3
> > seconds is a very long time for a conversation with a DNS server, because
> > it has probably recursed from the root zone all the way to the A record
> in
> > a fraction of that time.  30 seconds is forever – well, since UDP doesn't
> > have an analogue to a FIN or RST, the rule doesn't go away when the
> > conversation does.
>
> Is it not possible to do the dynamic rule instantiation for select UDP
> ports, i.e. 443? That may cause issues if DNS-over-HTTP/3 becomes a
> thing, but at least for now it would exclude DNS.
>
> >
> > I'll get some metrics on it. Thanks again.
> >
> >
> > --
> >
> > "Well," Brahmā said, "even after ten thousand explanations, a fool is no
> > wiser, but an intelligent person requires only two thousand five
> hundred."
> >
> > - The Mahābhārata
>
> Matt Joras
>


-- 

"Well," Brahmā said, "even after ten thousand explanations, a fool is no
wiser, but an intelligent person requires only two thousand five hundred."

- The Mahābhārata

More information about the freebsd-ipfw mailing list