<div dir="ltr">Antony,<div><br></div><div><b>Comments inline!</b></div><div><br></div><div>Thanks,</div><div>Luis</div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Feb 6, 2015 at 3:58 PM, Antony Stone <span dir="ltr"><<a href="mailto:Antony.Stone@squid.open.source.it" target="_blank">Antony.Stone@squid.open.source.it</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Friday 06 February 2015 at 22:54:54 (EU time), Luis Miguel Silva wrote:<br>
<br>
> As I started playing around with transparent ssl proxying, I learned that<br>
> Chrome uses an alternate communication (UDP based) protocol called QUIC.<br>
<br>
I'd never heard of QUIC, and <a href="http://en.wikipedia.org/wiki/QUIC" target="_blank">http://en.wikipedia.org/wiki/QUIC</a> doesn't seem to<br>
give much technical information on how it works, however it certainly confirms<br>
that it's based on UDP.<br>
<br>
> The problem is that, although the rules seem to successfully be triggered,<br>
> the only way I can successfully BLOCK QUIC traffic and make the browser<br>
> fallback to HTTP/HTTPS is by setting a default FORWARD policy to DROP:<br>
> *iptables -P FORWARD DROP*<br>
<br>
Er, why is that not your standard setup?<br>
<br>
Allow what you know you want, drop the rest - that's standard security<br>
practice.<br>
<br>
If you do set the default forward policy to drop, what problems does this<br>
create?<br></blockquote><div><b>This is supposed to be a generic solution, whose main intent is to filter http/https content (not to block "all other traffic").</b></div><div><b>If I block all traffic by default, things will stop working, so all I want to block is whatever NEEDS to be blocked :o)</b></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
> So my question is: *how can I completely block QUIC so I can guarantee my<br>
> traffic will always be redirected to Squid?*<br>
<br>
1. See above :)<br></blockquote><div><b>Unfortunately, not an acceptable solution :o(</b> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
2. What UDP traffic do you want to permit, except port 53 to your (quite<br>
possibly local) DNS servers?<br></blockquote><div><b>Games, voip, etc...</b> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Maybe you're using VoIP, with its associated RTSP traffic, but that's generally<br>
in the port range 20000-30000 or even higher, and will also be coming from<br>
quite specific devices (telephones), and usually also to quite specific<br>
destinations (SIP proxies).<br>
<br>
Therefore just block all UDP traffic which isn't known to be required.<br></blockquote><div><b>I would really rather not. I just want to figure out what ports does QUIC use :o)</b></div><div><b>Unfortunately, the more I talk with people, the more I'm finding out that most people don't have any idea what QUIC is (I now I didn't about 3 days ago heheh).</b> </div><div><br></div><div><b>I might just head on to the Chromium google group and ask there! (I just posted here cause I was sure someone else had experienced the same problem I am experiencing while doing transparent proxying).</b></div><div><b><br></b></div><div><b>Thanks,</b></div><div><b>Luis</b></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
<br>
Incidentally, as a general comment I would repeat the last sentence above<br>
without the qualifier "UDP" :)<br>
<br>
<br>
Regards,<br>
<br>
<br>
Antony.<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Anyone that's normal doesn't really achieve much.<br>
<br>
- Mark Blair, Australian rocket engineer<br>
<br>
Please reply to the list;<br>
please *don't* CC me.<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</font></span></blockquote></div><br></div></div>