How to support QUIC with ipfw

[Matt Joras]

Hi Michael,

On Sun, Apr 11, 2021, 1:25 PM Michael Sierchio <kudzu at tenebras.com> wrote:

> Hi, all.  I noticed my firewall was dropping what seemed to be unsolicited
> UDP connections from Google and Facebook, but this turned out to be QUIC
> traffic. The traffic can be initiated by the browser (or other supporting
> software) or the server.  The problem is that dynamic rules generally don't
> cut it – udp traffic here is predominantly NTP and DNS, and the dynamic
> rule lifetime for UDP is very short (3-6 s).  And of course they don't work
> at all for traffic initiated by the server side.
>

QUIC connections aren't initiated by the server. The browser is initiating
these connections. I'm not an ipfw user, the best generic firewall strategy
would be to have some sort of flow tracking for ~30s for UDP flows
associated with tuples originating on the client for remote port 443. 443
will cover the vast majority of Internet cases, as QUIC is only being used
at scale for HTTP/3.


> My kludgy solution at present is to troll the dynamic rules, locate the TCP
> connections in them with 443 and 5228 as the target port, and add those
> addresses to a table that permits UDP traffic from those ports.  I only see
> QUIC on IPv6, by the way.  The cron job runs once per minute, adds the
> addresses seen, and deletes those older than N seconds.  I use time_t
> seconds since epoch as the table arg, so I know when it was added or
> refreshed.
>
> Any suggestions on a better solution?
>
> Thanks.
>
> – M
>
> --
>
> "Well," Brahmā said, "even after ten thousand explanations, a fool is no
> wiser, but an intelligent person requires only two thousand five hundred."
>
> - The Mahābhārata
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>

Matt Joras

>