On Friday 06 February 2015 at 22:54:54 (EU time), Luis Miguel Silva wrote: > As I started playing around with transparent ssl proxying, I learned that > Chrome uses an alternate communication (UDP based) protocol called QUIC. I'd never heard of QUIC, and http://en.wikipedia.org/wiki/QUIC doesn't seem to give much technical information on how it works, however it certainly confirms that it's based on UDP. > The problem is that, although the rules seem to successfully be triggered, > the only way I can successfully BLOCK QUIC traffic and make the browser > fallback to HTTP/HTTPS is by setting a default FORWARD policy to DROP: > *iptables -P FORWARD DROP* Er, why is that not your standard setup? Allow what you know you want, drop the rest - that's standard security practice. If you do set the default forward policy to drop, what problems does this create? > So my question is: *how can I completely block QUIC so I can guarantee my > traffic will always be redirected to Squid?* 1. See above :) 2. What UDP traffic do you want to permit, except port 53 to your (quite possibly local) DNS servers? Maybe you're using VoIP, with its associated RTSP traffic, but that's generally in the port range 20000-30000 or even higher, and will also be coming from quite specific devices (telephones), and usually also to quite specific destinations (SIP proxies). Therefore just block all UDP traffic which isn't known to be required. Incidentally, as a general comment I would repeat the last sentence above without the qualifier "UDP" :) Regards, Antony. -- Anyone that's normal doesn't really achieve much. - Mark Blair, Australian rocket engineer Please reply to the list; please *don't* CC me. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
