[squid-users] Blocking Chrome and QUIC

Luis Miguel Silva luismiguelferreirasilva at gmail.com
Sat Feb 7 04:41:13 UTC 2015 

Antony,

*Comments inline!*

Thanks,
Luis

On Fri, Feb 6, 2015 at 3:58 PM, Antony Stone <
Antony.Stone at squid.open.source.it> wrote:

> On Friday 06 February 2015 at 22:54:54 (EU time), Luis Miguel Silva wrote:
>
> > As I started playing around with transparent ssl proxying, I learned that
> > Chrome uses an alternate communication (UDP based) protocol called QUIC.
>
> I'd never heard of QUIC, and http://en.wikipedia.org/wiki/QUIC doesn't
> seem to
> give much technical information on how it works, however it certainly
> confirms
> that it's based on UDP.
>
> > The problem is that, although the rules seem to successfully be
> triggered,
> > the only way I can successfully BLOCK QUIC traffic and make the browser
> > fallback to HTTP/HTTPS is by setting a default FORWARD policy to DROP:
> > *iptables -P FORWARD DROP*
>
> Er, why is that not your standard setup?
>
> Allow what you know you want, drop the rest - that's standard security
> practice.
>
> If you do set the default forward policy to drop, what problems does this
> create?
>
*This is supposed to be a generic solution, whose main intent is to filter
http/https content (not to block "all other traffic").*
*If I block all traffic by default, things will stop working, so all I want
to block is whatever NEEDS to be blocked :o)*


>
> > So my question is: *how can I completely block QUIC so I can guarantee my
> > traffic will always be redirected to Squid?*
>
> 1. See above :)
>
*Unfortunately, not an acceptable solution :o(*

>
> 2. What UDP traffic do you want to permit, except port 53 to your (quite
> possibly local) DNS servers?
>
*Games, voip, etc...*

>
> Maybe you're using VoIP, with its associated RTSP traffic, but that's
> generally
> in the port range 20000-30000 or even higher, and will also be coming from
> quite specific devices (telephones), and usually also to quite specific
> destinations (SIP proxies).
>
> Therefore just block all UDP traffic which isn't known to be required.
>
*I would really rather not. I just want to figure out what ports does QUIC
use :o)*
*Unfortunately, the more I talk with people, the more I'm finding out that
most people don't have any idea what QUIC is (I now I didn't about 3 days
ago heheh).*

*I might just head on to the Chromium google group and ask there! (I just
posted here cause I was sure someone else had experienced the same problem
I am experiencing while doing transparent proxying).*

*Thanks,*
*Luis*

>
>
> Incidentally, as a general comment I would repeat the last sentence above
> without the qualifier "UDP" :)
>
>
> Regards,
>
>
> Antony.
>
> --
> Anyone that's normal doesn't really achieve much.
>
>  - Mark Blair, Australian rocket engineer
>
>                                                    Please reply to the
> list;
>                                                          please *don't* CC
> me.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150206/60de6241/attachment.html>

More information about the squid-users mailing list