Yesterday my home office logs started screaming at me - something was trying to establish outbound connections on ports 80 and 443 which doesn't seem too alarming but this was UDP and of course I didn't capture outbound packets dropped.
That soon changed and I had some packets and wireshark revealed a signature of sorts "CHLO PAD SNI VER CCS UAID" which with the help of DuckDuckGo led me to QUIC - "Quic UDP Internet Connections". This is a new protocol being developed with a lot of Google support and the client code is in Chrome which makes sense considering the Android origin of the traffic.
So supposedly benign traffic.
Now the challenge:
I would like to intelligently allow QUIC through my iptables based firewall. Is it simply a matter of
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW -m multiport --dports 80,443 -j ACCEPT
or is there more to it ?
Anybody else done QUIC firewalling ?
Nov 10th 2014
4 years ago