Firewall Rules - Blocking QUIC #471
Replies: 5 comments
-
|
it looks like the rule works... since all quic connections cannot complete the handshake. @ |
Beta Was this translation helpful? Give feedback.
-
|
I stand corrected... those packets shouldn't have been there and today I am seeing QUIC reroute and make the connection to Akamai directly. |
Beta Was this translation helpful? Give feedback.
-
|
had to write a rule blocking outbound udp on port 443. |
Beta Was this translation helpful? Give feedback.
-
|
maybe? block out log quick from any to {mask-api.icloud.com, mask.icloud.com, mask-h2.icloud.com, mask.apple-dns.net} this is the 2nd time the above rule doesn't work... on reboot if no DNS resolution can be made to these addresses pf won't load your ruleset., even if these addresses are in a table. |
Beta Was this translation helpful? Give feedback.
-
|
I also found the rule: antispoof log for self - really useful. it covers all adapters but requires that pass in from 127.0.0.0 explicitly which you already do. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi,
I was wondering if this would be a good idea:
#block QUIC protocol
block log quick proto 253 from any to any
IF this works. it might align with the rules to block quick from the MDM side as well.
I recently pcap'ed QUIC traffic on my machine that wasn't going to Apple servers. It made me look into blocking the QUIC at the protocol level - hoping it would block quic for all applications/uses.
I
Beta Was this translation helpful? Give feedback.
All reactions