Cloudflare:443 in fw log...

furom

@johnpoz said in Cloudflare:443 in fw log...:

some other IP that is owned by cloudflare

Yes, it is a seemingly "random" Cloudflare IP... So could be just about anything. Just now reading about Firefox''s implementation of it. If I can turn it off to test, I'd know, else I guess it's a bit tricky?

johnpoz

@furom yeah it could just be going to www.somethingyouwantgoto.com just using quic, you should be able to turn it off in firefox.

that first link I posted should tell you if your using quic to get there.. Mine says its not.. Just http3

Are you using firefox nightly or beta, I didn't think quic was part of normal firefox as of yet..

furom

@johnpoz No, just getting plain ol' http/2, no fancy stuff here... :) And no, running FF stable. But then again, it may fail to negotiate http/3 because of my blocking UDP/443... Http/3 is enabled in about:config atleast

johnpoz

@furom then you really shouldn't be seeing UDP to 443..

So when you go to the test what does it say only http/2 ?

If you call up the dev tools in firefox and reload on the network tab what does it show you for protocol?

johnpoz

@furom said in Cloudflare:443 in fw log...:

because of my blocking UDP/443

Oh your blocking it at pfsense.. Ah ok.. Your blocking it to any IP.. I just block it to known doh servers which could be doing DoQ as well.

furom

@johnpoz said in Cloudflare:443 in fw log...:

Your blocking it to any IP

Well, kind of, I haven't explicitly allowed UDP/443 either, so gets blocked. :) I could try another browser and see what happens

johnpoz

@furom said in Cloudflare:443 in fw log...:

I haven't explicitly allowed UDP/443 either, so gets blocked

Ah your not using default any any rule on lan, you just allow specific ports and protocols.

furom

@johnpoz said in Cloudflare:443 in fw log...:

Ah your not using default any any rule on lan, you just allow specific ports and protocols.

Yes, I thought I'd try that. But is a really bumpy road... :) Turning off http3 in FF did seem to get rid of the UDP/443 blocks I had before, only to see a whole bunch of blocked TCP with all sorts of flags. Googling a bit, I found this post https://forum.netgate.com/topic/36362/log-shows-tcp-fa-tcp-fpa-blocked-from-lan, so guess I should not dig too deep in those.

johnpoz

@furom well those sorts of things can point to asymmetrical.. But a few now and then could just be because of loss of state on pfsense, and client still trying to use the same session..

If you just did a switch and of something, and you see a few of those I wouldn't worry to much. But if you continue to see them, and a lot of them then yeah I would look into why..

furom

@johnpoz said in Cloudflare:443 in fw log...:

But if you continue to see them, and a lot of them then yeah I would look into why..

They are already a lot less frequent, so think you are right. I learn a lot here, thanks!

mer

@johnpoz said in Cloudflare:443 in fw log...:

just personally block all traffic to 1.1.1.1

Floating rule, out WAN, quick, source any/any destination 1.1.1.1/any?

Thanks