[squid-users] Blocking Chrome and QUIC
Antony Stone
Antony.Stone at squid.open.source.it
Fri Feb 6 22:58:58 UTC 2015
On Friday 06 February 2015 at 22:54:54 (EU time), Luis Miguel Silva wrote:
> As I started playing around with transparent ssl proxying, I learned that
> Chrome uses an alternate communication (UDP based) protocol called QUIC.
I'd never heard of QUIC, and http://en.wikipedia.org/wiki/QUIC doesn't seem to
give much technical information on how it works, however it certainly confirms
that it's based on UDP.
> The problem is that, although the rules seem to successfully be triggered,
> the only way I can successfully BLOCK QUIC traffic and make the browser
> fallback to HTTP/HTTPS is by setting a default FORWARD policy to DROP:
> *iptables -P FORWARD DROP*
Er, why is that not your standard setup?
Allow what you know you want, drop the rest - that's standard security
practice.
If you do set the default forward policy to drop, what problems does this
create?
> So my question is: *how can I completely block QUIC so I can guarantee my
> traffic will always be redirected to Squid?*
1. See above :)
2. What UDP traffic do you want to permit, except port 53 to your (quite
possibly local) DNS servers?
Maybe you're using VoIP, with its associated RTSP traffic, but that's generally
in the port range 20000-30000 or even higher, and will also be coming from
quite specific devices (telephones), and usually also to quite specific
destinations (SIP proxies).
Therefore just block all UDP traffic which isn't known to be required.
Incidentally, as a general comment I would repeat the last sentence above
without the qualifier "UDP" :)
Regards,
Antony.
--
Anyone that's normal doesn't really achieve much.
- Mark Blair, Australian rocket engineer
Please reply to the list;
please *don't* CC me.
More information about the squid-users
mailing list