[squid-users] Blocking Chrome and QUIC

Antony Stone Antony.Stone at squid.open.source.it
Fri Feb 6 22:58:58 UTC 2015


On Friday 06 February 2015 at 22:54:54 (EU time), Luis Miguel Silva wrote:

> As I started playing around with transparent ssl proxying, I learned that
> Chrome uses an alternate communication (UDP based) protocol called QUIC.

I'd never heard of QUIC, and http://en.wikipedia.org/wiki/QUIC doesn't seem to 
give much technical information on how it works, however it certainly confirms 
that it's based on UDP.

> The problem is that, although the rules seem to successfully be triggered,
> the only way I can successfully BLOCK QUIC traffic and make the browser
> fallback to HTTP/HTTPS is by setting a default FORWARD policy to DROP:
> *iptables -P FORWARD DROP*

Er, why is that not your standard setup?

Allow what you know you want, drop the rest - that's standard security 
practice.

If you do set the default forward policy to drop, what problems does this 
create?

> So my question is: *how can I completely block QUIC so I can guarantee my
> traffic will always be redirected to Squid?*

1. See above :)

2. What UDP traffic do you want to permit, except port 53 to your (quite 
possibly local) DNS servers?

Maybe you're using VoIP, with its associated RTSP traffic, but that's generally 
in the port range 20000-30000 or even higher, and will also be coming from 
quite specific devices (telephones), and usually also to quite specific 
destinations (SIP proxies).

Therefore just block all UDP traffic which isn't known to be required.


Incidentally, as a general comment I would repeat the last sentence above 
without the qualifier "UDP" :)


Regards,


Antony.

-- 
Anyone that's normal doesn't really achieve much.

 - Mark Blair, Australian rocket engineer

                                                   Please reply to the list;
                                                         please *don't* CC me.


More information about the squid-users mailing list