Antony,
Comments inline!
Thanks,
Luis
On Fri, Feb 6, 2015 at 3:58 PM, Antony Stone <Antony.Stone@xxxxxxxxxxxxxxxxxxxx> wrote:
On Friday 06 February 2015 at 22:54:54 (EU time), Luis Miguel Silva wrote:
> As I started playing around with transparent ssl proxying, I learned that
> Chrome uses an alternate communication (UDP based) protocol called QUIC.
I'd never heard of QUIC, and http://en.wikipedia.org/wiki/QUIC doesn't seem to
give much technical information on how it works, however it certainly confirms
that it's based on UDP.
> The problem is that, although the rules seem to successfully be triggered,
> the only way I can successfully BLOCK QUIC traffic and make the browser
> fallback to HTTP/HTTPS is by setting a default FORWARD policy to DROP:
> *iptables -P FORWARD DROP*
Er, why is that not your standard setup?
Allow what you know you want, drop the rest - that's standard security
practice.
If you do set the default forward policy to drop, what problems does this
create?
This is supposed to be a generic solution, whose main intent is to filter http/https content (not to block "all other traffic").
If I block all traffic by default, things will stop working, so all I want to block is whatever NEEDS to be blocked :o)
> So my question is: *how can I completely block QUIC so I can guarantee my
> traffic will always be redirected to Squid?*
1. See above :)
Unfortunately, not an acceptable solution :o(
2. What UDP traffic do you want to permit, except port 53 to your (quite
possibly local) DNS servers?
Games, voip, etc...
Maybe you're using VoIP, with its associated RTSP traffic, but that's generally
in the port range 20000-30000 or even higher, and will also be coming from
quite specific devices (telephones), and usually also to quite specific
destinations (SIP proxies).
Therefore just block all UDP traffic which isn't known to be required.
I would really rather not. I just want to figure out what ports does QUIC use :o)
Unfortunately, the more I talk with people, the more I'm finding out that most people don't have any idea what QUIC is (I now I didn't about 3 days ago heheh).
I might just head on to the Chromium google group and ask there! (I just posted here cause I was sure someone else had experienced the same problem I am experiencing while doing transparent proxying).
Thanks,
Luis
Incidentally, as a general comment I would repeat the last sentence above
without the qualifier "UDP" :)
Regards,
Antony.
--
Anyone that's normal doesn't really achieve much.
- Mark Blair, Australian rocket engineer
Please reply to the list;
please *don't* CC me.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
